b'            Department of Homeland Security\n\n            \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n           New Media for Offices of Inspectors General: \n\n               A Discussion of Legal, Privacy and \n\n                  Information Security Issues \n\n\n\n\n\nThis report was prepared on behalf of Council of the Inspectors General on Integrity and Efficiency\n\n\n\n\nOIG-13-121                                                                              September 2013\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n                               Washington, DC 20528 I www.oig.dhs.gov\n\n\n\n                                            September 16, 2013\n\n                                             Preface\n\nAt the request of the Council of the Inspectors General on Integrity and Efficiency {CIGIE)\nHomeland Security Roundtable {HSR) and with the approval of the CIGIE Executive Council, the\nDepartment of Homeland Security {DHS) Office of Inspector General {OIG) chaired the New\nMedia Working Group {Working Group), consisting of public affairs specialists, attorneys,\ninformation technology {IT) professionals, and other subject matter experts, to assess OIG use\nof new media.\n\nIn September 2011, the Working Group produced Recommended Practices for Offices of\nInspectors General Use of New Media. The report discusses current and prospective uses of\nnew media tools in the OIG community and suggests practices that OIGs may use as they\nconsider implementing such tools. CIGIE endorsed the recommendations in the report,\nincluding establishing a permanent standing working group on emerging technologies and their\nimpact on the OIG community, and issuing an educational guide on legal, privacy, and\ninformation security new media issues.\n\nThis report implements one of the recommendations to CIGIE. It is a product of permanent\nstanding working group attorneys and information security specialists from 13 OIGs. We trust\nthat this report will guide OIGs as they use or consider using new media to further the OIG\nmission . We express our appreciation to all who contributed to the preparation of this report.\n\n\n\n\n                                              @rl.. {. ~:::. ~\n                                             Charles K. Edwards\n                                             Deputy Inspector General\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n\n                                                Department of Homeland Security\n\n                                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\n                                                       Table of Contents\nExecutive Summary ...............................................................................................................2\n\n\nBackground ...........................................................................................................................4\n\n\nLegal and Privacy Consideration ............................................................................................4 \n\n\n           Regulating Speech Under the First Amendment ......................................................4 \n\n           Overview of the Public Forum Doctrine ....................................................................5 \n\n           Official Government Speech .....................................................................................7 \n\n           Regulating Public Platforms .......................................................................................8 \n\n           Regulating Internal Platforms ....................................................................................10 \n\n           Unofficial Employee Use of New Media ....................................................................11\n\n           First Amendment Guidance in a Social Media Policy ...............................................12\n\n\n           The Fourth Amendment and the Expectation of Privacy ..........................................14 \n\n           Reducing or Eliminating Employees\xe2\x80\x99 Privacy Expectations .......................................16 \n\n\n           Information and Privacy ............................................................................................17 \n\n           The Privacy Act of 1974..............................................................................................18\n\n           The E-Government Act of 2002 and Privacy Impact Assessments.............................21 \n\n           Adapted PIAs and Third-Party Websites or Apps ......................................................23 \n\n           Web Measurement and Customization Technologies or \xe2\x80\x9cCookies\xe2\x80\x9d ........................25 \n\n           Freedom of Information Act.......................................................................................27\n\n\n           Information Collection ...............................................................................................28 \n\n           Paperwork Reduction Act...........................................................................................28\n\n           Federal Advisory Committee Act................................................................................30 \n\n\n           Records Management................................................................................................30 \n\n\n           Human Resources .....................................................................................................33 \n\n           Recruiting and Hiring .................................................................................................33\n\n           Workplace Discrimination Claims .............................................................................35\n\n           Harassment and Hostile Work Environment Claims..................................................35\n\n           Retaliation Claims ......................................................................................................36\n\n           Taking Adverse Action ...............................................................................................37 \n\n\n           Ethics ..........................................................................................................................39 \n\n           Ethics Overview..........................................................................................................39 \n\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n\n                                                Department of Homeland Security\n\n                                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\n           Overview of Impartiality and Endorsements .............................................................39\n\n           Impartiality and Endorsements \xe2\x80\x93 Unofficial Employee Use .....................................40\n\n           Impartiality and Endorsements \xe2\x80\x93 Official OIG Use ....................................................41\n\n           Employee Use of Government Resources .................................................................42 \n\n           Restrictions on Outside Activities .............................................................................43 \n\n           Nondisclosure of Nonpublic Information ..................................................................43 \n\n           Prohibition of Lobbying..............................................................................................43 \n\n           Prohibition of Partisan Activities ...............................................................................44 \n\n           Some Appropriations Restrictions .............................................................................45 \n\n\n           Procurement and Terms of Service Agreements.......................................................46 \n\n           No-Cost Agreements ..................................................................................................46 \n\n           User Agreements and Terms of Service.....................................................................47 \n\n                  Indemnification Clauses .................................................................................48 \n\n                  Choice of Law/Choice of Forum Clauses........................................................49 \n\n                  Confidentiality Clauses...................................................................................51\n\n                  Advertising Clauses ........................................................................................51 \n\n\n           Intellectual Property Issues .......................................................................................52 \n\n           Government Seals ......................................................................................................52 \n\n           Copyrights ..................................................................................................................53\n\n           Liability for Copyright Infringement...........................................................................54\n\n           Trademarks ................................................................................................................55 \n\n\n           Public Accessibility ....................................................................................................56\n\n           Section 508 of the Rehabilitation Act ........................................................................56 \n\n           Accessibility for People with Limited English Proficiency ..........................................57\n\n\n           Liability .......................................................................................................................58 \n\n\nInformation Security Considerations .....................................................................................59 \n\n\n           Federal Information Security Management Act of 2002 ...........................................60 \n\n           Cloud Computing .......................................................................................................61 \n\n           Social Media ...............................................................................................................62 \n\n\n           Engaging New Media Providers .................................................................................63 \n\n\n           Protecting OIG Networks While Accessing New Media Platforms ............................63 \n\n\nConclusion ..............................................................................................................................64 \n\n\x0c                     OFFICE OF INSPECTOR GENERAL\n\n                                Department of Homeland Security\n\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendixes\n     Appendix A:   Objectives, Scope and Methodology ............................................ 65\n     Appendix B:   Sample New Media FISMA Legal Analysis .................................... 66\n     Appendix C:   FISMA, NIST, OMB, FedRAMP, and Privacy Considerations ......... 69\n     Appendix D:   Negotiating, Contracting, and Communicating Information\n                   Security Requirements.................................................................. 74\n     Appendix E:   Protecting OIG Networks While Accessing New Media\n                   Platforms ....................................................................................... 76\n     Appendix F:   Major Contributors to This Report ............................................... 78\n\nAbbreviations\n     apps          applications\n     CIGIE         Council of Inspectors General on Integrity and Efficiency\n     CIO           Chief Information Officer\n     DHS           Department of Homeland Security\n     DLP           data loss prevention\n     EO            Executive Order\n     FACA          Federal Advisory Committee Act\n     FAQ           frequently asked questions\n     FAR           Federal Acquisition Regulation\n     FedRAMP       Federal Risk and Authorization Management Program\n     FIPS          Federal Information Processing Standards\n     FISMA         Federal Information Security Management Act of 2002\n     FOIA          Freedom of Information Act\n     Fed. Reg.     Federal Register\n     FTCA          Federal Tort Claims Act\n     GAO           U.S. Government Accountability Office\n     GSA           General Services Administration\n     HR            human resources\n     IG            Inspector General\n     IP            Internet protocol\n     IT            information technology\n     LEP           Limited English Proficiency\n     MSPB          Merit Systems Protection Board\n     NARA          National Archives and Records Administration\n     NIST          National Institute of Standards and Technology\n     OGE           Office of Government Ethics\n     OIG           Office of Inspector General\n     OLC           Office of Legal Counsel\n\x0c             OFFICE OF INSPECTOR GENERAL\n\n                     Department of Homeland Security\n\n                      Washington, DC 20528 / www.oig.dhs.gov\n\n\nOMB         Office of Management and Budget\nPCIE        President\xe2\x80\x99s Council on Integrity and Efficiency\nPIA         Privacy Impact Assessment\nPII         personally identifiable information\nPRA         Paperwork Reduction Act\nSaaS        Software as a Service\nSAOP        Senior Agency Office for Privacy\nSORN        Systems of Record Notice\nSP          Special Publication\nTitle VII   Title VII of the Civil Rights Act of 1964\nTOS         terms of service\n\x0c                       OFFICE OF INSPECTOR GENERAL\n\n                              Department of Homeland Security\n\n                               Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n\nThe Council of the Inspectors General on Integrity and Efficiency (CIGIE) was statutorily\nestablished as an independent entity within the executive branch by the Inspector General\nReform Act of 2008, Public Law 110-409. The mission of the CIGIE is to\xe2\x80\x94\n\n   \xe2\x80\xa2\t Address integrity, economy, and effectiveness issues that transcend individual \n\n      government agencies; and \n\n\n   \xe2\x80\xa2\t Increase the professionalism and effectiveness of personnel by developing policies,\n      standards, and approaches to aid in the establishment of a well-trained and highly\n      skilled workforce in the Federal Office of Inspector General (OIG) community.\n\nMembership\n\n   \xe2\x80\xa2\t All Inspectors General (IGs) whose offices are established under either section 2 or\n      section 8G of the Inspector General Act, or pursuant to other statutory authority (e.g.,\n      the Special IGs for Iraq Reconstruction, Afghanistan Reconstruction, and Troubled Asset\n      Relief Program)\n\n   \xe2\x80\xa2\t The IG of the Intelligence Community and the Central Intelligence Agency\n\n   \xe2\x80\xa2\t The IGs of the Government Printing Office, the Library of Congress, the Capitol Police,\n      the Government Accountability Office, and the Architect of the Capitol\n\n   \xe2\x80\xa2\t The Controller of the Office of Federal Financial Management\n\n   \xe2\x80\xa2\t A senior-level official of the Federal Bureau of Investigation, designated by the Director\n      of the Federal Bureau of Investigation\n\n   \xe2\x80\xa2\t The Director of the Office of Government Ethics\n\n   \xe2\x80\xa2\t The Special Counsel of the Office of Special Counsel\n\n   \xe2\x80\xa2\t The Deputy Director of the Office of Personnel Management\n\n   \xe2\x80\xa2\t The Deputy Director for Management of the Office of Management and Budget (OMB)\n\n\n\n                                                 1\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n\n                                Department of Homeland Security\n\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\nCIGIE Homeland Security Roundtable\n\n\nSince September 11, 2001, protecting our Nation has been a paramount concern of the entire\nFederal establishment. The OIG community plays a significant role in reviewing the\nperformance of agency programs and operations that affect homeland security. To a large\nextent, this has been accomplished through collaborative efforts among multiple OIGs.\n\nOn June 7, 2005, the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) Vice-Chair established\na PCIE Homeland Security Roundtable. The roundtable supports the OIG community by sharing\ninformation, identifying best practices, and participating on an ad hoc basis with various\nexternal organizations and government entities. The CIGIE New Media Working Group was\nformed under the auspices of the Homeland Security Roundtable.\n\nExecutive Summary\nThe rapid expansion and growing popularity of new media, including interactive social media, is\ncreating both opportunities and challenges for Federal Inspectors General. This report,\nproduced by the Council of Inspectors General on Integrity and Efficiency (CIGIE) New Media\nWorking Group, is designed to give detailed guidance to Inspectors General and their staffs on\nlegal, privacy, and information security issues related to the use of social media.\n\nThis report follows up on the New Media Working Group\xe2\x80\x99s initial effort published in September\n2011. Recommended Practices for Offices of Inspectors General Use of New Media presented\nInspector General views on new media based on a survey sent to 79 CIGIE members, generally\nanalyzed issues involving OIGs and emerging technologies, and made six recommendations to\nOIGs and one recommendation to CIGIE.\n\nThis report focuses on two Office of Inspector General (OIG) uses of new media: official use,\nsuch as for public affairs outreach and human resources purposes, and unofficial use by\nemployees. It does not cover OIG uses of new media in the law enforcement, national security,\nor intelligence contexts, and its guidance may not apply equally in those contexts. The report\nprovides guidance on a range of legal and policy issues, including constitutional considerations,\ninformation and privacy, accessibility, ethics, terms of service, intellectual property, information\ncollection, liability, and records management. It also offers insights into the information\nsecurity challenges inherent in installing, hosting, monitoring, and managing official new media\nventures. Although the Working Group has strived to draft a reader-friendly report, written for\nlay people as well as specialists, the issues that this report presents cover a wide variety of\napparently disparate topics and concerns. The variety of topics reflects the breadth of\nexperience and knowledge that OIGs must employ to address new media issues.\n\n\n\n\n                                                   2\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\nOur research and analysis is intended to help not only the larger offices that may already have a\nnew media program or are starting one, but also the smaller offices with fewer resources.\nRegardless of whether an OIG already uses, is planning to use, or is not intending to use social\nmedia, policies and safeguards should be developed since many, if not most, employees are\nalready individually engaged in this new cyber community.\n\nThis report should not be used as a substitute for independent legal advice.1 This is a fluid area,\nand laws and policies may change at a rapid pace.\n\nThis report makes no recommendations.\n\n\n\n\n1\n  The CIGIE New Media Working Group members and sponsors expressly disclaim liability for errors and omissions in the\ncontents of this report. No warranty of any kind, implied, expressed, or statutory, is given with respect to the contents. The\ninformation appearing in this report is for general informational purposes only and is not intended to provide legal, privacy, or\ninformation security-related advice to any individual or entity. We urge you to consult with your own legal, privacy, or\ninformation security advisor before taking any action based on information appearing in this report.\n\n                                                                3\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\nBackground\nAs discussed in the 2011 Council of Inspectors General on Integrity and Efficiency (CIGIE) report,\nnew media encompasses all forms of electronic, digitized, and interactive media, including tools\nthat allow users to share content through text, images, audio, and/or video. New media\napplications (apps) may be hosted internally or obtained through cloud services. New media\ntools such as SharePoint and the Office of Management and Budget (OMB) MAX platform\nfacilitate knowledge management, collaboration, and internal communication within the\nFederal Government, whether intra-agency or government-wide.\n\nThis report covers such tools to an extent but focuses to a great degree on social media, a\nsubset of new media that allows for public interaction, collaboration, and participation. Types\nof social media include collaborative projects (e.g., Wikipedia, wikis), blogs and microblogs\n(e.g., Twitter), media sharing websites (e.g., YouTube, Flickr), social or professional networking\nwebsites (e.g., Facebook, MySpace, LinkedIn, Google+), and virtual social worlds (e.g., Second\nLife).\n\nThe legal, privacy, and information security framework will vary depending on where the new\nmedia is hosted, such as whether it is hosted internally by an OIG, or externally, such as\nSoftware as a Service (SaaS) or third-party websites and apps. In addition, the analysis may\nchange depending on whether the new media is used to share internally or externally, and\nwhether the external information sharing is unidirectional, coming solely from an OIG, or allows\ninput and sharing from the public.\n\nLegal and Privacy Considerations\n         Regulating Speech Under the First Amendment\n\n         Like other employers, OIGs have an interest in monitoring employee performance and\n         conduct, and not just while employees are at work. Increasingly, employees\xe2\x80\x99\n         professional lives and personal lives are merged, with employees broadcasting via social\n         media networks their views about their work, coworkers, and supervisors. Employers,\n         including government employers, may not always like what employees have to say. Yet\n         while private sector employers may extend their workplace policies to the online and\n         virtual world without considering First Amendment implications, a government\n         employer must balance the need to regulate speech with employees\xe2\x80\x99 First Amendment\n         rights. 2 In the new media environment, these obligations constitute a highly nuanced\n         and ever-changing area of law.\n\n2\n The First Amendment states that \xe2\x80\x9cCongress shall make no law respecting an establishment of religion, or prohibiting the free\nexercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to\npetition the Government for a redress of grievances.\xe2\x80\x9d U.S. CONST. amend. I.\n\n                                                               4\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n          In addition to balancing employee rights with employer needs, OIG decision makers\n          need to consider the First Amendment when regulating speech on official new media\n          websites: specifically, whether allowing or disallowing public commentary on an OIG-\n          sponsored new media website will affect any First Amendment analysis. Intentionally\n          allowing the public to participate and comment on an official social media website raises\n          First Amendment issues if the OIG wants to edit or restrict any of the commentary. It is\n          wise to consider the purpose of the social media website, or \xe2\x80\x9cpublic forum,\xe2\x80\x9d ahead of\n          time since an OIG\xe2\x80\x99s intent and purpose for a social media website will largely determine\n          the standard the courts use to evaluate whether an OIG appropriately and legally\n          regulates comments.\n\n          The following discussion of First Amendment implications in relation to new media\n          includes an overview of the public forum doctrine; official government usage or the\n          \xe2\x80\x9cgovernment speech\xe2\x80\x9d doctrine; regulating public and internal platforms; unofficial, non\xc2\xad\n          work-related employee use of new media; and First Amendment guidance in a social\n          media policy.\n\n          Overview of the Public Forum Doctrine\n\n          The Supreme Court employs \xe2\x80\x9cforum analysis\xe2\x80\x9d to determine when the government may\n          limit or exclude expressive activity in public property or places where people assemble\n          or debate. 3 Traditionally, the Supreme Court evaluated speech restrictions on the\n          government\xe2\x80\x99s physical or \xe2\x80\x9ctangible\xe2\x80\x9d property, such as an amphitheater, but the Court\n          expanded the analysis to include non-traditional \xe2\x80\x9cproperty,\xe2\x80\x9d such as a university\n          meeting facility or school board meeting. 4 Although applying forum analysis to such a\n          \xe2\x80\x9cmetaphysical\xe2\x80\x9d or virtual world as new media is relatively new, it can be done.5\n\n\n\n\n3\n  Christian Legal Soc\'y Chapter of the Univ. of Cal., Hastings Coll. of the Law v. Martinez, 130 S. Ct. 2971, 2984 (2010).\n4\n  See Perry Educ. Ass\'n v. Perry Local Educators\xe2\x80\x99 Ass\xe2\x80\x99n, 460 U.S. 37, 45 (1983) (citing Widmar v. Vincent, 454 U.S. 263 (1981)\n(university meeting facilities); City of Madison Joint School District v. Wisconsin Employment Relations Comm\'n, 429 U.S. 167\n(1976) (school board meeting); Southeastern Promotions, Ltd. v. Conrad, 420 U.S. 546 (1975) (municipal theater)).\n5\n  OIGs may not own the digital spaces in which they use new media but can still create public forums in those areas. A forum\ndoes not even need to exist spatially or geographically; it may be metaphysical. See Christian Legal Soc\'y, 130 S. Ct. at 2979\n(public forum precedents supply the appropriate framework for the speech and association rights claims regarding student-\ngroup funding and school email lists at a public law school); Rosenberger v. Rector and Visitors of Univ. of Va., 515 U.S. 819, 827\n(1995) (funding for student activity publications constitutes a public forum). Cf. David S. Ardia, Government Speech and Online\nForums: First Amendment Limitations on Moderating Public Discourse on Government Websites, 2010 BYU L. REV. 1981, 1993\n(2010) (\xe2\x80\x9cIt remains an open question whether these virtual spaces will inherit the same protections for speech that we take for\ngranted in the physical world.\xe2\x80\x9d).\n\n                                                                5\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          Generally, under the \xe2\x80\x9cpublic forum doctrine,\xe2\x80\x9d government official use of new media\n          may fit into one of three forum categories6: \xe2\x80\x9cdesignated\xe2\x80\x9d public forum, \xe2\x80\x9climited\xe2\x80\x9d public\n          forum (which may be considered a subcategory of a designated public forum), or\n          \xe2\x80\x9cnonpublic\xe2\x80\x9d forum. The lines between these categories are not always clear.7\n\n          Courts have found that the government creates a designated public forum when\n          government property that has not traditionally been regarded as a public forum is\n          \xe2\x80\x9cintentionally opened up for that purpose.\xe2\x80\x9d8 Examples include a public university\n          auditorium or municipal theater.9 New media platforms likely constitute designated\n          public forums when they are interactive and allow the public to express themselves,\n          particularly if it is the agency policy or practice to create such a forum.10 Having such a\n          policy or practice indicates intent to designate areas \xe2\x80\x9cfor expressive activity by\n          citizens.\xe2\x80\x9d 11 The Supreme Court has made intent the key determinant of whether a\n          forum is public or nonpublic.12 When the government regulates speech in designated\n          public forums, courts will evaluate the government\xe2\x80\x99s regulations under \xe2\x80\x9cstrict scrutiny,\xe2\x80\x9d\n          meaning that the \xe2\x80\x9crestriction must be narrowly tailored to serve a compelling\n          government interest,\xe2\x80\x9d and restrictions based on viewpoint are prohibited. 13\n\n          A limited public forum is a subset of a designated public forum, where the government\n          may limit access to certain groups or topics, as long as the restrictions are reasonable\n          and viewpoint-neutral. 14 When the government excludes a speaker based on the\n          subject matter of his speech, the exclusion need only be reasonable and viewpoint\xc2\xad\n          neutral. 15 When the government excludes a speaker who falls within the class to which\n          a designated public forum is made generally available, however, or excludes a speaker\n6\n  A fourth \xe2\x80\x9ctraditional public forum\xe2\x80\x9d category includes areas such as streets or parks that \xe2\x80\x9chave immemorially been held in trust\nfor the use of the public.\xe2\x80\x9d Perry, 460 U.S. at 45 (quoting Hague v. Comm. for Indus. Org., 307 U.S. 496, 515 (1939)). Since the\ngovernment has not held new media sites open historically or immemorially for public speech, it is unlikely that a court would\nfind that the government created a traditional public forum with external new media tools, so we will not further analyze this\ncategory. See Ardia, supra note 5, at 1998 (\xe2\x80\x9cGiven the Internet\xe2\x80\x99s short history, there is little chance that a website, or indeed\nanything on the Internet, would be considered a traditional public forum\xe2\x80\x9d).\n7\n  Lyrissa Lidsky, Government Sponsored Social Media and the Public Forum Doctrine Under the First Amendment: Perils and\nPitfalls, 19 THE PUB. LAWYER 2 (Summer 2011).\n8\n  Pleasant Grove City, Utah v. Summum, 555 U.S. 460, 469 (2009). To determine whether the government intended to create a\nlimited public forum, courts look to the government\xe2\x80\x99s \xe2\x80\x9cstated purpose\xe2\x80\x9d and \xe2\x80\x9cobjective indicia of intent,\xe2\x80\x9d such as \xe2\x80\x9cthe consistent\npolicy and practice of the government.\xe2\x80\x9d Bryant v. Gates, 532 F.3d 888, 896 (D.C. Cir. 2008) (emphasis in original) (quoting\nStewart v. Dist. of Columbia Armory Bd., 863 F.2d 1013, 1016-17 (D.C. Cir. 1988)).\n9\n  Perry, 460 U.S. at 45.\n10\n   Id. at 47.\n11\n   Lyrissa Lidsky, Public Forum 2.0, 91 B.U. L. REV. 1975, 1998 (2011); see also Ardia, supra note 5, at 1998-99 (\xe2\x80\x9cIn the end, it is\nlikely that a government website that allows private speech will be viewed under the public forum doctrine as a limited public\nforum \xe2\x80\x93 that is, \xe2\x80\x98public property which the state has opened for use by the public as a place for expressive activity.\xe2\x80\x99\xe2\x80\x9d) (quoting\nPerry, 460 U.S. at 45)).\n12\n   E.g., Cornelius v. NAACP Legal Def. & Educ. Fund, 473 U.S. 788, 802-03 (1985).\n13\n   Summum, 555 U.S. at 461.\n14\n   Perry, 460 U.S. at 46; Christian Legal Soc\'y Chapter of the Univ. of Cal., Hastings Coll. of the Law v. Martinez, 130 S. Ct. 2971,\n2984 (2010).\n15\n   Summum, 555 U.S. at 470.\n\n                                                                 6\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n         whose speech obviously falls within the subject matter constraints of the forum, the\n         government\xe2\x80\x99s action is not judged by whether it is reasonable and viewpoint-neutral but\n         is subject to strict scrutiny. 16 In other words, if an OIG opened a forum for congressional\n         staffers to discuss open OIG recommendations, excluding a staffer discussing that topic\n         must be judged under strict scrutiny, but excluding him because he is not discussing\n         open OIG recommendations needs only to be reasonable and viewpoint-neutral.\n\n         Finally, a nonpublic forum is \xe2\x80\x9c[p]ublic property that is not by tradition or designation a\n         forum for public communication.\xe2\x80\x9d 17 Government internal use, such as SharePoint or an\n         internal wiki or blog, would fall under this category. The government may make \xe2\x80\x9ctime,\n         place, and manner\xe2\x80\x9d restrictions on speech in this forum, and may regulate to \xe2\x80\x9creserve\n         the forum for its intended purposes, communicative or otherwise, as long as the\n         regulation on speech is reasonable and not an effort to suppress expression merely\n         because public officials oppose the speaker\'s view.\xe2\x80\x9d 18 Courts examine only the\n         reasonableness of government regulations because the government has not\n         \xe2\x80\x9cdedicated\xe2\x80\x9d this property to speech activity. 19\n\n         Official Government Speech\n\n         Public forum analysis does not apply to the government speech doctrine because, as the\n         name implies, this is when the government speaks for itself.20 First Amendment free\n         speech protections do not apply when the government expresses its own views. 21 For\n         example, tweets from an official government account are not subject to First\n         Amendment protections because the government is tweeting its own message. When\n         an OIG uses a social media website solely to share information about its programs and\n         related issues but allows no public commentary or participation, the government speech\n         doctrine would apply.22\n\n         This option is the easiest to manage in that it raises no First Amendment issues, yet it\n         may not allow an OIG to take full advantage of social media. Most people would argue\n         that allowing public participation is the point of social media; it is not meant to be a\n         one-way street. Decision makers should consider their goals before setting up a social\n         media account, and if they see no benefit of engaging the public, then settling for this\n         option should be fine. Whatever an OIG decides, it is important to avoid using the\n\n\n16\n   Ark. Educ. Television Comm\xe2\x80\x99n v. Forbes, 523 U.S. 666, 677 (1998); see also Cornelius, 473 U.S. at 802.\n17\n   Perry, 460 U.S. at 46.\n18\n   Id.\n19\n   Id.\n20\n   Summum, 555 U.S. at 464.\n21\n    Id. at 467-68.\n22\n   Lidsky, supra note 11, at 1996 (\xe2\x80\x9cA non-interactive Facebook page controlled by a government actor would doubtless be\ntreated as government speech. . . .\xe2\x80\x9d).\n\n                                                             7\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         government speech doctrine as a pretext for regulating private speech on government\n         property, such as a public forum. 23 See Table 1, First Amendment Categories.\n\n                                      Table 1: First Amendment Categories\n       Type                            Example                          Regulation Standard\n Designated           \xe2\x80\xa2   Interactive new media that allows             \xe2\x80\xa2   Strict scrutiny\n Public Forum             public comments                               \xe2\x80\xa2   Restrictions based on viewpoint prohibited\n                     \xe2\x80\xa2    Determining factor is intent\n Limited Public      \xe2\x80\xa2    New media that may allow public               \xe2\x80\xa2   Restrictions must be reasonable and\n Forum                    interaction but restricts access to               viewpoint-neutral\n                          certain groups, topics, or individuals        \xe2\x80\xa2   If government excludes speaker whose\n                                                                            speech falls within subject matter constraints\n                                                                            of forum, however, subject to strict scrutiny\n Nonpublic           \xe2\x80\xa2    Internal new media, such as                   \xe2\x80\xa2   Time, manner, place restrictions acceptable\n Forum                    SharePoint or an internal wiki or blog        \xe2\x80\xa2   Must be reasonable\n                                                                        \xe2\x80\xa2   Can reserve forum for intended purposes\n Government           \xe2\x80\xa2    Official OIG social media that pushes        \xe2\x80\xa2   The First Amendment does not apply\n Speech                    out message unidirectionally\n                      \xe2\x80\xa2    No public participation\n\n         Regulating Public Platforms\n\n         At times it may be unclear whether an OIG is speaking for itself or has created a public\n         forum. In most cases involving new media there will be a mixture of government and\n         private speech. 24 For example, when an OIG engages the public through its blog or\n         Facebook page, it likely creates a limited public forum in the comments section of each\n         \xe2\x80\x9cpost.\xe2\x80\x9d 25 In those cases, the OIG should regulate public speech according to the limited\n         or designated public forum context, as appropriate.\n\n         Under the public forum doctrine, OIGs may not discriminate against speech solely\n         because of the viewpoint expressed. Only when the regulation is reasonable and\n         necessary to preserve the purpose of the forum may an OIG regulate who may speak in\n         new media limited public forums and what is said in those forums. For example, when\n         an OIG blogs about its most recent audit report, it may delete comments to the post\n         that are off-topic or entirely unrelated to the audit or OIG programs, but it would be\n         improper to delete comments that express displeasure with the results or opinions of an\n         OIG audit. Additionally, OIGs may remove comments that advertise nongovernmental\n         products, services, or organizations because such speech may be an improper\n\n\n23\n   See Summum, 555 U.S. at 473 (acknowledging the \xe2\x80\x9clegitimate concern that the government speech doctrine not be used as a \n\nsubterfuge for favoring certain private speakers over others based on viewpoint\xe2\x80\x9d).\n\n24\n   Lidsky, supra note 11, at 1997-98. \n\n25\n   Id. at 1999 (\xe2\x80\x9cThere is little doubt that [interactive social media] sites are forums, at least with regard to the comments \n\nportion of the site.\xe2\x80\x9d).\n\n\n                                                              8\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          endorsement under Federal ethics rules.26 Finally, OIGs will want to remove any\n          information resulting from public participation that may identify a specific person, such\n          as a Social Security number, photograph, or date of birth. Participants need to be\n          advised that they should not post such information.\n\n          OIGs also may encounter issues with indecent or vulgar commentary on external new\n          media websites. OIG account managers may restrict or remove \xe2\x80\x9cunprotected speech\xe2\x80\x9d27\n          from new media websites so long as they do not narrowly apply the unprotected speech\n          rules to discriminate against certain views. 28 Unprotected speech includes fighting\n          words, 29 words that imminently incite illegal behavior, 30 threats,31 and obscenities or\n          obscene material. 32\n\n          Additionally, speech on new media websites that does not rise to the level of\n          unprotected speech under the First Amendment may still disrupt the purpose of the\n          forum and thus may call for removal. Several courts have upheld restrictions on speech\n          in public meetings to maintain decorum and limit discussion to the purpose of the\n          forum, as long as they do not discriminate based on a speaker\'s viewpoint. 33\n          Accordingly, an OIG may adopt a policy prohibiting personal attacks or disruptive\n          speech, as long as the policy is content-neutral and is intended to maintain decorum in\n          the forum.34\n\n          However, it is important to recognize that unlike in-person meetings, new media users\n          can more easily disregard personal attacks or repetitive, off-topic comments by\n          skimming through comments or ignoring comments altogether. Given how easy it is to\n          ignore speech on new media platforms, OIGs should consider whether removing certain\n\n\n26\n   See infra Ethics section.\n27\n   The Supreme Court has stated that certain types of speech are not entitled to protection because they are \xe2\x80\x9cof such slight\nsocial value . . . that any benefit that may be derived from them is clearly outweighed by the social interest in order and\nmorality.\xe2\x80\x9d Chaplinsky v. New Hampshire, 315 U.S. 568, 572 (1942).\n28\n   See R.A.V. v. City of St. Paul, Minn., 505 U.S. 377, 388 (1992) (providing the example that a state might \xe2\x80\x9cchoose to prohibit\nonly that obscenity which is the most patently offensive in its prurience\xe2\x80\x9d but may not prohibit only obscenity that includes\noffensive political messages.).\n29\n   Id. at 383; Chaplinsky v. New Hampshire, 315 U.S. 568, 572 (1942) (\xe2\x80\x9c[T]he lewd and obscene, the profane, the libelous, and\nthe insulting or \xe2\x80\x98fighting\xe2\x80\x99 words\xe2\x80\x99\xe2\x80\x94those which by their very utterance inflict injury or tend to incite an immediate breach of the\npeace\xe2\x80\x9d\xe2\x80\x94do not enjoy constitutional protection).\n30\n   Brandenburg v. Ohio, 395 U.S. 444, 447 (1969).\n31\n   Watts v. United States, 394 U.S. 705, 707 (1969).\n32\n   Miller v. California, 413 U.S. 15, 24 (1973) (indicating that obscene material as that which appeals only to prurient, or sexually\narousing, interests; depicts \xe2\x80\x9cpatently offensive\xe2\x80\x9d sexual conduct; and lacks any \xe2\x80\x9cserious literary, artistic, political, or scientific\nvalue\xe2\x80\x9d).\n33\n   E.g., Steinburg v. Chesterfield Cnty. Planning Comm\'n, 527 F.3d 377, 385 (4th Cir. 2008) (a planning commission meeting was\na limited public forum, and the city could limit its discussion and restrict speakers reasonably to preserve decorum necessary to\naccomplish the purpose of the meeting).\n34\n   Steinburg, 527 F.3d at 387 (\xe2\x80\x9cA content-neutral policy against personal attacks is not facially unconstitutional insofar as it is\nadopted and employed to serve the legitimate public interest in a limited forum of decorum and order\xe2\x80\x9d).\n\n                                                                 9\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         borderline off-color comments, for the purpose of upholding decorum and reasonably\n         preserving the purpose of the forum, is worth the risk of chilling free expression. 35\n         While remaining mindful of obligations regarding privacy, OIGs should consider\n         disallowing anonymous speech. Requiring users to register before posting comments\n         might encourage appropriate use of the forum and, as long as the information is\n         accessible to users who do not wish to register with a third-party provider, is\n         advisable.36 However, OIGs should not require users to provide their personal\n         information to a third-party provider to access government content. Not only could this\n         raise privacy issues, but also it may create the appearance of providing preferential\n         treatment to an enterprise. 37\n\n         Regulating Internal Platforms\n\n         An OIG may create a new media platform solely for internal purposes, such as to allow\n         employees to communicate with each other or share a digitized collaboration space.\n         Unless the public is allowed to access the website and participate, the forum would be a\n         nonpublic forum. An OIG may restrict internal new media access to a specific subset of\n         employees in a nonpublic forum. For example, an OIG may grant access on a case-by\xc2\xad\n         case basis, as in a SharePoint website for auditors or when a need-to-know basis exists.\n         An OIG could even open an internal website to selected nongovernmental groups,\n         potentially creating a limited public forum. The \xe2\x80\x9cconstitutional right of access\xe2\x80\x9d would\n         extend only to other entities of the same character, however; the Supreme Court has\n         held that \xe2\x80\x9cselective access,\xe2\x80\x9d or allowing only certain similar groups to join a forum, does\n         not transform a limited or designated public forum into a public forum. 38\n\n         OIGs have much more freedom to regulate speech in nonpublic, internal forums, as\n         these forums are only subject to the reasonableness and viewpoint-neutral limitations.\n         These limitations would not be violated if, for example, OIGs were to delete off-topic\n         posts in SharePoint discussions or deny certain employees access to forums because of\n         a lack of need-to-know. Despite employee requests for anonymity, OIGs may require\n         employees to identify themselves before posting to internal new media platforms to\n         ensure accountability.\n\n\n\n\n35\n   See Lidsky, supra note 11, at 2002, for arguments as to why \xe2\x80\x9callowing the government to preserve decorum in public\n\nmeetings do not apply as strongly in the social media context.\xe2\x80\x9d\n\n36\n   See infra Information and Privacy, and Public Accessibility sections for more information. \n\n37\n   48 C.F.R. \xc2\xa7 301-1 requires government business to be conducted \xe2\x80\x9cwith complete impartiality and with preferential treatment \n\nfor none.\xe2\x80\x9d See also infra Information and Privacy section regarding third-party privacy policy issues. \n\n38\n   Perry Educ. Ass\'n v. Perry Local Educators\xe2\x80\x99 Ass\xe2\x80\x99n, 460 U.S. 37, 47 (1983). \n\n\n                                                             10\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         Unofficial Employee Use of New Media\n\n         Regarding unofficial employee use of new media, Federal employees do not forfeit their\n         First Amendment rights by virtue of their employment.39 However, the Supreme Court\n         has recognized that the government \xe2\x80\x9cmay impose restraints on the job-related speech\n         of public employees that would be plainly unconstitutional if applied to the public at\n         large.\xe2\x80\x9d 40\n\n         Absent proof of false statements knowingly or recklessly made, a public employee has\n         the right to comment as a citizen on matters of public concern.41 However, when a\n         public employee speaks not as a citizen upon matters of public concern, but instead as\n         an employee about personal matters, government officials may take disciplinary action\n         for inappropriate behavior or speech. As the Supreme Court has held, \xe2\x80\x9c[w]hen\n         employee expression cannot be fairly considered as relating to any matter of political,\n         social, or other concern to the community, government officials should enjoy wide\n         latitude in managing their offices, without intrusive oversight by the judiciary in the\n         name of the First Amendment.\xe2\x80\x9d 42 For example, \xe2\x80\x9cprivate speech\xe2\x80\x9d involving a complaint\n         about changes to an employee\xe2\x80\x99s duties may give rise to discipline,43 as may other\n         speech that does not meet the public concern threshold, such as employees\xe2\x80\x99 speech\n         made \xe2\x80\x9cpursuant to their official duties.\xe2\x80\x9d 44 Examples of official-duty speech include job-\n         related or media interviews, or anything that may fall within an employee\xe2\x80\x99s duties.\n         Absent unusual circumstances, a Federal court will not second-guess an OIG personnel\n         decision based on private speech, even if it is unfair or unreasonable.45\n\n\n\n\n39\n   Federal courts of appeals have held that the government may not condition employment based on waiving a constitutional\nright. See Pickering v. Bd. of Educ., 391 U.S. 563, 568 (1968) (teachers do not lose their First Amendment rights to comment as\ncitizens on matters of public interest in connection with the schools where they work); Keyishian v. Bd. of Regents, 385 U.S.\n589, 605-06 (1967) (\xe2\x80\x9cThe theory that public employment, which may be denied altogether may be subjected to any conditions,\nregardless of how unreasonable, has been uniformly rejected.\xe2\x80\x9d).\n40\n   United States v. National Treasury Employees Union, 513 U.S. 454, 465 (1995).\n41\n   Pickering, 391 U.S. at 571-73 (high school teacher wrongfully dismissed for openly criticizing the Board of Education on its\nallocation of school funds between athletics and education, and its methods of informing taxpayers about the need for\nadditional revenue because they were \xe2\x80\x9cmatter[s] of legitimate public concern\xe2\x80\x9d upon which \xe2\x80\x9cfree and open debate [was] vital to\ninformed decisionmaking by the electorate\xe2\x80\x9d). See Garcetti v. Cabellas, 547 U.S. 410 (2006); Connick v. Myers, 461 U.S. 138\n(1983).\n42\n   Connick, 461 U.S. at 146.\n43\n   Nat\xe2\x80\x99l Treasury Employees Union, 513 U.S. at 466.\n44\n   Garcetti, 547 U.S. at 421 (\xe2\x80\x9cWhen public employees make statements pursuant to their official duties, the employees are not\nspeaking as citizens for First Amendment purposes, and the Constitution does not insulate their communications from\nemployer discipline.\xe2\x80\x9d).\n45\n   Connick, 461 U.S. at 146-47 (\xe2\x80\x9cOrdinary dismissals from government service which violate no fixed tenure or applicable statute\nor regulation are not subject to judicial review even if the reasons for the dismissal are alleged to be mistaken or\nunreasonable.\xe2\x80\x9d).\n\n                                                              11\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          First Amendment Guidance in a Social Media Policy\n\n          Social media users, including Members of Congress and judges, sometimes fail to realize\n          that information on social networks can be disseminated more widely and used for\n          purposes other than intended. OIG employees are no exception. Experience has shown\n          that absent a policy, the boundaries between social media use and office functions can\n          become blurred. For example, law enforcement officers have posted material that has\n          impeached their courtroom testimony, or caused them to be removed from Federal\n          service, and inappropriate social media use could easily harm an audit.46 Employees\n          need to know that their private social media use may be discoverable, and not\n          everything is protected by the First Amendment.47\n\n          Policies on employee use of social media are essential to help prevent employee\n          missteps and protect the agency. All policies should have one baseline: Employees\n          must make sure that their personal use of social media never creates conflicts with the\n          work of their agency or OIG. All employees are responsible for ensuring that no\n          information is disclosed through social media that might compromise OIG investigations,\n          audits, or inspections. An OIG policy might contain the following language:\n\n          \xe2\x80\xa2\t Expressing personal views pursuant to one\xe2\x80\x99s official duties, whether on or off duty,\n             may result in disciplinary action.48\n\n          \xe2\x80\xa2\t Employees not authorized to speak on behalf of OIG must avoid giving the\n             impression that they are representing OIG\xe2\x80\x99s views. 49 Therefore, when appropriate,\n             employees should be clear that they are speaking solely in their personal capacity\n             and not representing the OIG.\n\n          \xe2\x80\xa2\t Whether authorized to speak for OIG or not, employees may be disciplined for\n             certain types of speech. Statements generally not afforded First Amendment\n\n46\n   See J. Dwyer, The Officer Who Posted Too Much on MySpace, N.Y. TIMES (Mar. 10, 2009),\nhttp://www.nytimes.com/2009/03/11/nyregion/11about.html. Dwyer interviewed an officer whose MySpace posts allowed\nsomeone to beat a felony weapons charge at State Supreme Court, Brooklyn. The arresting officer posted before the trial that\nhe was feeling \xe2\x80\x9cdevious\xe2\x80\x9d and was \xe2\x80\x9cwatching [violent police movie] to brush up on proper police procedure.\xe2\x80\x9d See also Spivey v.\nDep\'t of the Navy, 2012 MSPB LEXIS 5278 (MSPB 2012) (police officer removed from services for posting sensitive law\nenforcement information on Facebook).\n47\n    E.g., Trail v. Lesko, No. GD-10-017249 (C.P. Pa. July 3, 2012) (before a requesting party will be granted unfettered \xe2\x80\x9caccess\xe2\x80\x9d to\na Facebook account, the party must show a \xe2\x80\x9csufficient likelihood\xe2\x80\x9d that the nonpublic postings would contain information that is\nrelevant to the litigation that is \xe2\x80\x9cnot otherwise available\xe2\x80\x9d). The Lesko analysis varies from the standard threshold relevancy\nmodel adopted by some courts and uses a balancing approach based on the \xe2\x80\x9clevel of intrusiveness.\xe2\x80\x9d This opinion is an\nintroduction to the discoverability of private social media content in Pennsylvania and other jurisdictions.\n48\n   Garcetti, 547 U.S. at 421.\n49\n   Under 5 C.F.R. \xc2\xa7 2635.702(b), government employees are prohibited from creating the appearance that the government\nsanctions their views or activities. In addition, 5 C.F.R. \xc2\xa7 2635.807(b)(2) requires employees involved in teaching, speaking, or\nwriting, to provide a disclaimer that the views expressed do not express the views of the U.S. Government.\n\n                                                                12\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n               protection include those that reflect solely matters of internal or personal interest;\n               false and defamatory statements about OIG and/or OIG employees; threats and\n               insults; \xe2\x80\x9cfighting words;\xe2\x80\x9d50 and statements that unduly disrupt the office, undermine\n               a supervisor\'s authority, or destroy necessary close working relationships. 51\n\n          \xe2\x80\xa2\t Generally, employees may express themselves as private citizens about matters of\n             concern and value to the public at large,52 unless such speech undermines OIG\xe2\x80\x99s\n             effectiveness and efficiency.\n\n          \xe2\x80\xa2\t The First Amendment does not prohibit managerial discipline based on an\n             employee\xe2\x80\x99s speech made pursuant to official responsibilities because, in such a case,\n             the employee speaks as an employee and not as a private citizen. 53 The First\n             Amendment protects only speech that an employee makes as a private citizen\n             concerning a matter of public concern.\n\n          While a policy should be clear, it should not be too proscriptive. For example, a policy\n          should not state that employees must allow OIG to vet blog posts before publication or\n          require employees to get permission before posting a video on YouTube. Unless they\n          are \xe2\x80\x9creasonably necessary to protect the efficiency of the public service,\xe2\x80\x9d54 such\n          restrictions are likely to be seen as a prior restraint on free speech and struck down by a\n          court.55\n\n\n\n\n50\n   Chaplinsky v. New Hampshire, 315 U.S. 568, 572 (1942) (\xe2\x80\x9c[T]he lewd and obscene, the profane, the libelous, and the insulting\nor \xe2\x80\x98fighting\xe2\x80\x99 words\xe2\x80\x99\xe2\x80\x94those which by their very utterance inflict injury or tend to incite an immediate breach of the peace\xe2\x80\x9d\xe2\x80\x94do\nnot enjoy constitutional protection). See also R. A. V. v. St. Paul, 505 U.S. 377, 383 (1992) (categories of expression can,\nconsistently with the First Amendment, be regulated \xe2\x80\x9cbecause of their constitutionally proscribable content (obscenity,\ndefamation, etc.)\xe2\x80\x9d (emphasis in original)).\n51\n   E.g., Rankin v. McPherson, 483 U.S. 378, 388 (1987) (Pickering balance test considers such government interests in efficient\noffice functioning as "whether the statement impairs discipline by superiors or harmony among coworkers, has a detrimental\nimpact on close working relationships for which personal loyalty and confidence are necessary, or impedes the performance of\nthe speaker\'s duties or interferes with the regular operation of the enterprise"); City of San Diego v. John Roe, 543 U.S. 77, 84\n(2004) (upholding city\xe2\x80\x99s termination of police officer whose off-duty conduct brought the mission of the city police department\nand the professionalism of its officers into serious disrepute, and whose speech was not a matter of public concern).\n52\n   E.g., Pickering v. Bd. of Educ., 391 U.S. 563, 574 (1968) (\xe2\x80\x9c[A]bsent proof of false statements knowingly or recklessly made,\xe2\x80\x9d a\npublic employee\xe2\x80\x99s speech on matters of public concern may not form the basis of dismissal).\n53\n   Garcetti v. Cabellas, 547 U.S. 410, 421 (2006).\n54\n   United States v. National Treasury Employees Union, 513 U.S. 454, 474 (1995).\n55\n   E.g., Harman v. City of New York, 140 F.3d 111, 119 (2d Cir. 1998) (agency policy requiring prepublication review of any\ninformation an employee intended to convey to the media was a prior restraint because it attempted to suppress speech in\nadvance rather than punish disruptive remarks after their effect was felt); Southeastern Promotions, Ltd. v. Conrad, 420 U.S.\n546, 559 (U.S. 1975) (\xe2\x80\x9ca free society prefers to punish the few who abuse rights of speech after they break the law than to\nthrottle them and all others beforehand\xe2\x80\x9d); Cf. Weaver v. United States Info. Agency, 87 F.3d 1429, 1436 (D.C. Cir. 1996)\n(regulation permissible because the need to protect against the dissemination of sensitive material outweighed employee\xe2\x80\x99s\nrights, but if it were read to authorize punishment or suppression of speech in advance, it would "raise serious constitutional\nissues").\n\n                                                               13\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n          The Fourth Amendment and the Expectation of Privacy\n\n          Another constitutional consideration of new media concerns the Fourth Amendment.56\n          Government activity implicates the Fourth Amendment when government personnel\n          conduct a \xe2\x80\x9csearch\xe2\x80\x9d or a \xe2\x80\x9cseizure.\xe2\x80\x9d The Fourth Amendment protects citizens from\n          unreasonable government intrusions into areas that are \xe2\x80\x9cconstitutionally protected\xe2\x80\x9d57\n          or where an individual has a reasonable expectation of privacy. 58 Depending on the\n          policies and practices at an OIG, protected areas may include new media (and\n          specifically, social media) activity on OIG-issued electronic devices and computers. No\n          court that we know of has found new media to be a \xe2\x80\x9cconstitutionally protected area\xe2\x80\x9d\n          for Fourth Amendment purposes.59 Therefore, individuals will enjoy Fourth\n          Amendment protection in their use of new media only when they have a reasonable\n          expectation of privacy, which requires an \xe2\x80\x9cactual, subjective expectation of privacy\xe2\x80\x9d that\n          society is prepared to recognize as \xe2\x80\x9cobjectively reasonable.\xe2\x80\x9d60\n\n          There can be no reasonable expectation of privacy in social media activities that do not\n          restrict access, such as social media posts without privacy settings, because users\n          knowingly expose their activities to the public.61 Accordingly, members of the public,\n          and Federal employees who post information on social media accounts that are\n          accessible to the public, have no reasonable expectation of privacy in those posts. For\n          example, if a member of the public posts on an official OIG government social media\n          account, he or she does not have a reasonable expectation of privacy in that\n          information. Similarly, if a Federal employee tweets a message on her personal Twitter\n          account but allows her account to be visible to the public, she has no reasonable\n          expectation of privacy in her tweets. In addition, users may not expect privacy in\n          noncontent, routing information of their Internet connections, such as to/from\n\n56\n   The Fourth Amendment states that the \xe2\x80\x9cright of the people to be secure in their persons, houses, papers, and effects, against \n\nunreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause. . . .\xe2\x80\x9d U.S.\n\nCONST. amend. IV. \n\n57\n   Jones v. United States, 132 S. Ct. 945, 951 (2012) (government\xe2\x80\x99s warrantless installation of a GPS tracking device on a \n\npersonal vehicle constituted a search because it was a trespass upon a constitutionally protected effect, i.e., a vehicle, for the \n\npurpose of obtaining information). Constitutionally protected areas include individual\xe2\x80\x99s persons, houses, papers, and effects. \n\nU.S. CONST. amend. IV.\n58\n   Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring).\n59\n   But see EDWARD C. LIU, ET AL., CONG. RESEARCH SERV., R42409, CYBERSECURITY: SELECTED LEGAL ISSUES 19, n. 145 (2012) (suggesting a\ncourt could find email to be a \xe2\x80\x9cpaper\xe2\x80\x9d and a packet of data to be an \xe2\x80\x9ceffect\xe2\x80\x9d under the Fourth Amendment).\n60\n   Katz, 389 U.S. at 361.\n61\n   Id. at 351 (\xe2\x80\x9cWhat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth\nAmendment protection.\xe2\x80\x9d); Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (a person \xe2\x80\x9chas no legitimate expectation of privacy\nin information he voluntarily turns over to third parties\xe2\x80\x9d). Social media users also have no reasonable expectation that\ninformation they voluntarily provide to others, such as other social media users in their networks, will remain private. See\nUnited States v. Meregildo, 883 F. Supp. 2d 523, 526 (S.D. N.Y. 2012) (a Facebook user\xe2\x80\x99s \xe2\x80\x9clegitimate expectation of privacy\nended when he disseminated posts to his \xe2\x80\x98friends\xe2\x80\x99 because those \xe2\x80\x98friends\xe2\x80\x99 were free to use the information however they\nwanted\xe2\x80\x9d).\n\n                                                               14\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          addresses for emails, Internet Protocol (IP) address of websites visits, volume of use,\n          and other addressing and routing information. 62\n\n          Federal employees do not lose Fourth Amendment protections by virtue of their Federal\n          employment.63 The government may not require employees to waive their Fourth\n          Amendment rights as a condition of employment,64 such as by requiring an employee to\n          provide passwords to his or her personal social media accounts. Nor may the\n          government require an employee to provide unfettered access to an employee\xe2\x80\x99s\n          personal computer or handheld devices, such as an iPhone or Blackberry.65\n\n          While a government employee may have a reasonable expectation of privacy in the\n          workplace, however, a government employer may take steps to reduce or eliminate that\n          expectation.66 Employees using their government computers for personal use to\n          communicate with friends via social media, for example, may have a subjective belief\n          that their posts are private. Whether such expectation is objectively reasonable, and\n          therefore entitled to Fourth Amendment protection, depends on the facts and\n          circumstances of each situation. 67\n\n          Even when an employee has a reasonable expectation of privacy in the workplace, an\n          OIG may conduct a warrantless search without violating the Fourth Amendment under\n          the \xe2\x80\x9cspecial needs\xe2\x80\x9d exception,68 or as long as it is not excessive in scope and is\n          reasonably related to a work purpose. 69 An employer\xe2\x80\x99s \xe2\x80\x9cspecial needs\xe2\x80\x9d for efficient and\n          proper operation of the workplace make the probable cause and warrant requirements\n          impracticable and unnecessary for legitimate, reasonable, work-related,\n          noninvestigatory intrusions, and investigations of work-related misconduct. 70 To\n\n62\n   United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008). See also Smith, 442 U.S. at 743-44 (no legitimate expectation of\n\nprivacy in dialing, routing, addressing, and signaling information transmitted to telephone companies). \n\n63\n   See O\xe2\x80\x99Connor v. Ortega, 480 U.S. 709, 717 (1987) (plurality opinion). \n\n64\n   Federal courts of appeals have held that the government may not condition employment based on waiving a constitutional \n\nright. See, e.g., McDonnell v. Hunter, 809 F.2d 1302, 1310 (8th Cir. 1987) (if a search is unreasonable, \xe2\x80\x9ca government employer \n\ncannot require that its employees consent to that search as a condition of employment\xe2\x80\x9d); Keyishian v. Bd. of Regents, 385 U.S. \n\n589, 605-06 (1967) (\xe2\x80\x9cThe theory that public employment, which may be denied altogether may be subjected to any conditions, \n\nregardless of how unreasonable, has been uniformly rejected.\xe2\x80\x9d).\n\n65\n   See infra Human Resources section for additional analysis on employee relations. \n\n66\n   Whether an employee has a reasonable expectation of privacy in the workplace depends on several factors, including (1) the \n\nopenness and accessibility of the workspace, (2) whether the employee has exclusive use of an area or item, (3) if the employer\n\ngave the employee prior notice of the possibility of searches in that area, and (4) the employer\xe2\x80\x99s common practice and \n\nprocedure of searching the area. Thompson v. Johnson County Cmty. Coll., 930 F. Supp. 501, 507 (D. Kan. 1996) (factor 1); \n\nUnited States v. Taketa, 923 F.2d 665, 673 (9th Cir. 1991) (factor 2); Schowengerdt v. United States, 944 F.2d 483, 488 (9th Cir. \n\n1991) (factor 3); Am. Postal Workers Union v. United States Postal Serv., 871 F.2d 556, 560-61 (6th Cir. 1989) (factor 3); \n\nO\xe2\x80\x99Connor, 480 U.S. at 717-18 (factor 4).\n\n67\n   O\xe2\x80\x99Connor, 480 U.S. at 717 (noting that the determination of whether a government employee has a reasonable expectation \n\nof privacy in the workplace requires a case-by-case analysis). \n\n68\n   Id. at 725.\n\n69\n   O\xe2\x80\x99Connor, 480 U.S. at 725; City of Ontario v. Quon, 130 S. Ct. 2619, 2632 (2010).\n\n70\n   Id. \n\n\n                                                               15\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          determine whether the special needs warrant exception applies, the Court balances an\n          employee\xe2\x80\x99s privacy expectations with the government\xe2\x80\x99s interests. 71\n\n          Reducing or Eliminating Employees\xe2\x80\x99 Privacy Expectations \n\n\n          Although the Supreme Court has not addressed the issue, Federal courts have held that\n          agencies may reduce or eliminate government employees\xe2\x80\x99 expectation of privacy when\n          using government computers or devices through regulations and agency practices, such\n          as policies, consent banners, and computer-user agreements. 72 For example, the Fourth\n          Circuit held that an employee did not have a legitimate expectation of privacy regarding\n          his Internet use at work because his agency\xe2\x80\x99s policy advised that the employer would\n          electronically audit and monitor users\xe2\x80\x99 access.73 Therefore, the OIG warrantless search\n          of the employee\xe2\x80\x99s computer and removal of his hard drive from his office did not violate\n          the Fourth Amendment. 74\n\n          Accordingly, OIGs should develop and implement a policy that notifies employees that\n          they have no legitimate expectation of privacy whenever they are using a government-\n          issued electronic device or computer, and similarly, that data exchanged on government\n          equipment may be used by the government for official purposes. OIGs also should\n          require employees to consent to an appropriately worded log-on banner and computer-\n          user agreement.\n\n\n\n\n71\n   Nat\xe2\x80\x99l Treasury Employees Union v. Von Raab, 489 U.S. 656, 665 (1989). If the government\xe2\x80\x99s needs trumps an employee\xe2\x80\x99s\nprivacy interests\xe2\x80\x94and as long as a Federal employer has a legitimate, work-related reason to intrude on an employee\xe2\x80\x99s privacy\nexpectations, and the intrusion is \xe2\x80\x9creasonable under the circumstances\xe2\x80\x9d\xe2\x80\x94the government does not need a warrant to conduct\na search. Id. \xe2\x80\x9cDual purpose\xe2\x80\x9d situations, in which the employer conducts a reasonable search based on a legitimate, work-\nrelated need, and also finds evidence of criminal conduct, do not require a warrant. The government does not lose its \xe2\x80\x9cspecial\nneed for the efficient and proper operation of the workplace\xe2\x80\x9d merely because the evidence obtained revealed a crime.\nO\xe2\x80\x99Connor, U.S. 480 at 723.\n72\n    E.g., United States v. Thorn, 375 F.3d 679, 683 (8th Cir. 2004), cert. granted, judgment vacated on other grounds, 543 U.S.\n1112 (2005), judgment reinstated, 413 F.3d 820 (8th Cir. 2005) (policy eliminated state employee\'s reasonable expectation of\nprivacy in the contents of the computer); United States v. Angevine, 281 F.3d 1130, 1134-35 (10th Cir. 2002) (banner and\ncomputer policy eliminates a state university professor\'s reasonable expectation of privacy in data downloaded from the\nInternet); United States v. Monroe, 52 M.J. 326, 330 (C.A.A.F. 2000) (Air Force sergeant had no reasonable expectation of\nprivacy in his government email account because it was reserved for official business and network banner informed him that\nuse was subject to monitoring); United States v. Hamilton, 778 F. Supp. 2d 651, 654 (E.D. Va. 2011) (computer use policy\ndefeated public school employee\xe2\x80\x99s expectation of privacy when computer use policy stated that contents of the computer were\nsubject to inspection, defendant signed forms acknowledging the policy, and a banner informed him of this policy when logging\non to the system); Wasson v. Sonoma Cnty. Junior Coll. Dist., 4 F. Supp. 2d 893, 905-06 (N.D. Cal. 1997) (public employer\'s\ncomputer policy giving the employer the right to access all information stored on the employer\'s computers eliminates an\nemployee\'s reasonable expectation of privacy in files stored on the computers); Bohach v. City of Reno, 932 F. Supp. 1232, 1235\n(D. Nev. 1996) (police officers do not retain a reasonable expectation of privacy in their use of a pager system because of order \n\nannouncing that all messages would be logged).\n\n73\n   United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000). \n\n74\n   Id. \n\n\n                                                               16\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          To ensure compliance with the Fourth Amendment and other laws implicating Fourth\n          Amendment concerns, the Department of Justice\xe2\x80\x99s Office of Legal Counsel (OLC)\n          recommends the following model log-on banner language:75\n\n          \xe2\x80\xa2\t You are accessing a U.S. Government information system, which includes (1) this\n             computer, (2) this computer network, (3) all computers connected to this network,\n             and (4) all devices and storage media attached to this network or to a computer on\n             this network. This information system is provided for U.S. Government-authorized\n             use only.\n          \xe2\x80\xa2\t Unauthorized or improper use of this system may result in disciplinary action, as well\n             as civil and criminal penalties.\n          \xe2\x80\xa2\t By using this information system, you understand and consent to the following:\n             o\t You have no reasonable expectation of privacy regarding communications or\n                 data transiting or stored on this information system.\n             o\t At any time, and for any lawful government purpose, the Government may\n                 monitor, intercept, and search any communication or data transiting or stored on\n                 this information system.\n             o\t Any communications or data transiting or stored on this information system may\n                 be disclosed or used for any lawful government purpose.\n\n                                 [click button: I AGREE]\n\n\n          If an OIG decides to implement its own banner language and computer-user\n          agreements, care should be given to ensure that any diminution of an employee\xe2\x80\x99s\n          expectation of privacy is explicit and comprehensive. No matter how explicit a banner\n          is, though, the Federal Law Enforcement Training Center\xe2\x80\x99s Legal Division Handbook\n          warns agencies against relying on them exclusively, so it is advisable to consult counsel\n          before conducting an electronic search.76\n\n          Information and Privacy\n\n          In addition to constitutional issues, OIGs must consider information and privacy issues\n          for both outbound and inbound communications when implementing a social media\n          program. Three key information and privacy laws come into play in the new media\n          context: the Privacy Act of 1974, as amended (Privacy Act); 77 the E-Government Act of\n          2002, as amended (E-Government Act); 78 and the Freedom of Information Act (FOIA), as\n          amended.79 An OIG needs to ensure not only its own compliance with these three laws,\n\n75\n   Legal Issues Relating to the Testing, Use, and Deployment of an Intrusion-Detection Sys. (Einstein 2.0) to Protect Unclassified \n\nComputer Networks in the Exec. Branch, 33 Op. O.L.C. 1 2009, 5-6 (2009) [hereinafter Legal Issues Relating to EINSTEIN 2.0]. \n\n76\n   U.S. DEP\xe2\x80\x99T OF HOMELAND SEC., FEDERAL LAW ENFORCEMENT TRAINING CENTER LEGAL DIVISION HANDBOOK 434 (2012). \n\n77\n   5 U.S.C. \xc2\xa7 552a. \n\n78\n   Pub. L. No. 107-347, 116 Stat. 2899 (codified as amended at scattered sections 44 U.S.C.). \n\n79\n   5 U.S.C. \xc2\xa7 552.\n\n\n                                                                17\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n\n                                            Department of Homeland Security\n\n                                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n          but also compliance of any third-party social media provider whose products it uses.\n          Generally, each social media provider has its own privacy policy. An OIG should direct\n          the public to read each third-party policy carefully before participating or providing\n          information.\n\n          The Privacy Act of 1974\n\n          The Privacy Act is the primary law governing how the Federal Government collects, uses,\n          maintains, and disseminates information about individuals. It protects records about\n          individuals when such records are maintained in a \xe2\x80\x9csystem of records\xe2\x80\x9d under the\n          agency\xe2\x80\x99s control 80 and are retrieved from that system by name, Social Security number,\n          or any other identifier assigned to the individual.81\n\n          With certain exceptions, the Privacy Act prohibits disclosure of such records to any\n          person or other agency without the written consent of the individual(s) to whom the\n          records pertain. 82 In addition to the exceptions that are contained in the Privacy Act,\n          additional exceptions appear as \xe2\x80\x9croutine uses\xe2\x80\x9d in a \xe2\x80\x9cSystem of Record Notice\xe2\x80\x9d (SORN)\n          published in the Federal Register. Any OIG implementing a social media program should\n          review the exceptions and ensure that all outbound social media communications that\n          contain Privacy Act-protected information comply with one of the exceptions.83\n\n          The Privacy Act also generally requires that agencies provide individuals the right to\n          access, amend, and correct their records,84 although OIGs have traditionally exempted\n          their investigatory files under the Privacy Act from this requirement.85 Regarding\n\n\n80\n    The Privacy Act also applies to government contractor-operated systems of records. 5 U.S.C. \xc2\xa7 552a(m).\n81\n    Id. at (a)(4), (5). Personally Identifiable Information (PII), which is generally protected by the Privacy Act, includes any other\n\xe2\x80\x9cinformation that can be used to distinguish or trace an individual\xe2\x80\x99s identity, either alone or when combined with other\npersonal or identifying information that is linked or linkable to a specific individual.\xe2\x80\x9d Joshua B. Bolten, M-03-22, OMB Guidance\nfor Implementing the Privacy Provisions of the E-Government Act of 2002, OFF. MGMT. & BUDGET (Sept. 26, 2003), available at\nhttp://www.whitehouse.gov/omb/memoranda_m03-22 [hereinafter OMB M-03-22] (citing definition of PII from Clay Johnson\nIII, M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OFF. MGMT. & BUDGET\n(May 22, 2007), available at http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf). Whether information can be\nused to uncover an individual\xe2\x80\x99s identity is determined through a case-by-case assessment of the specific risk of identification.\n82\n    5 U.S.C. \xc2\xa7 552a(b). The Privacy Act contains certain explicit exceptions, including internal use on a need-to-know basis,\ndisclosures required under the FOIA, disclosures in response to certain court orders, as well as official requests of congressional\ncommittees for matters their official jurisdiction and the U.S. Government Accountability Office (GAO). Id. One exception allows\nagencies to establish additional \xe2\x80\x9croutine uses\xe2\x80\x9d (disclosures) compatible with the purpose for which the record was collected,\nprovided those \xe2\x80\x9croutine uses\xe2\x80\x9d are published in the Federal Register notice establishing the relevant system(s) of records from\nwhich the records will be disclosed. Id. at (b)(3).\n83\n    Privacy Best Practices for Social Media, CIO Council, at 10 (July 2013), #5, available at https://cio.gov/wp\xc2\xad\ncontent/uploads/downloads/2013/07/Privacy-Best-Practices-for-Social-Media.pdf (suggesting additional requirements for\nsharing information collected via social media) [hereinafter CIO Council Privacy Best Practices].\n84\n    Id. at (d).\n85\n    See, e.g., id. at (j)(2) (criminal investigatory files); (k)(2) (law enforcement investigatory files other than those covered by the\n(j)(2) exemption); and (k)(5) (investigatory materials for determining suitability, eligibility, qualification for Federal civilian\n\n                                                                  18\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         records that are not exempt, OIGs should give careful consideration to inbound social\n         media communications and how (or whether) they will be treated, kept, stored, and\n         maintained. Indeed, retaining such communications may require the creation of a new\n         system of records, as (to use one example) comments to a blog post from the public\n         might not fall under the definition of any existing system. 86\n\n         Since the Privacy Act generally requires agencies to maintain information in their\n         systems of records only such information about individuals that is \xe2\x80\x9crelevant and\n         necessary\xe2\x80\x9d to accomplish an agency purpose required by statute or Executive Order\n         (EO), it may be that much of the inbound social media communication that an OIG\n         receives should not be maintained at all.87 For example, while fraud allegations\n         submitted through social media likely are \xe2\x80\x9crelevant and necessary,\xe2\x80\x9d and thus may merit\n         retention and storage, responses to tweets about an OIG initiative may not qualify.\n\n         When creating social or other new media accounts, databases, or programs, OIGs must\n         examine whether they may be establishing a new system of records within the meaning\n         of the Privacy Act. The definition of a system of records, as noted earlier, includes\n         whether the records will be under agency \xe2\x80\x9ccontrol,\xe2\x80\x9d whether those records will be\n         \xe2\x80\x9cabout\xe2\x80\x9c individuals, and whether records will be \xe2\x80\x9cretrieved\xe2\x80\x9d from the system by name\n         or other personal identifier. 88 If the OIG determines that it will be creating a new\n         system of records\xe2\x80\x94rather than simply incorporating records into an existing OIG\n         system\xe2\x80\x94the OIG must first seek public comment by publishing a SORN, and must also\n         notify Congress and OMB of the proposed system. 89 This procedural requirement is not\n         merely ministerial, as agency officers and employees can be held criminally liable if they\n         willfully maintain a system of records without publishing the legally required SORN\n         beforehand.90 OIGs also may be subject to civil liability for maintaining inaccurate, out\xc2\xad\n         of-date, or incomplete data collected about individuals in the OIG\xe2\x80\x99s systems of records,\n         if that information is then used unfairly to make an adverse determination relating to an\n         individual\xe2\x80\x99s qualifications, character, rights, opportunities, or benefits to which the\n         individual may be entitled. 91\n\n\n\n\nemployment, military service, Federal contracts, or classified information access, but only to the extent such material would \n\nreveal a confidential source). An agency must issue formal, published regulations in order to invoke these exemptions.\n\n86\n   For example, the Special Inspector General for Afghanistan Reconstruction has created SIGAR-11, Social Media Records, and \n\nSIGAR-12, Internal Electronic Collaboration Tools. See 77 FR 46551 (Aug. 3, 2012). \n\n87\n   5 U.S.C. \xc2\xa7 552a(e)(1). \n\n88\n   OIGs should consult with counsel in making this determination.\n\n89\n   5 U.S.C. \xc2\xa7\xc2\xa7 552a(e)(4), (11); OMB Circular No. A-130, Management of Federal Information Resources, Revised, OFF. MGMT. &\n\nBUDGET App. I, para. 4 (2000), available at http://www.whitehouse.gov/omb/circulars_a130_a130trans4 (Federal agency \n\nreporting requirements to OMB and Congress). Agencies should also make their SORNs available on their agency websites. \n\n90\n   5 U.S.C. \xc2\xa7 552a(i)(2). \n\n91\n   Id. at (e)(5), (g)(1)(C). \n\n\n                                                              19\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n\n                                            Department of Homeland Security\n\n                                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n          In light of these provisions, OIGs must carefully consider and weigh the benefits and\n          risks of collecting, maintaining, or using Internet rumor, hearsay, and other third-party\n          statements that may be difficult to verify. Information that an individual has directly\n          posted on his or her own behalf may not be intended to be strictly factual or accurate,\n          even if it may reflect the individual\xe2\x80\x99s personal views or state of mind at the time. As\n          noted above, because individuals may have no legal right under the Privacy Act to\n          obtain mandatory access to their investigatory files, OIGs that decide to collect such\n          information should also consider how individuals will be able to evaluate and ensure its\n          accuracy and reliability. 92 For example, the OIG may consider whether it is feasible or\n          appropriate to offer an individual the opportunity to review, explain, or challenge the\n          accuracy of such information, if it will be used as a basis for decisions regarding his or\n          her employment, referral for prosecution, or other actions regarding the individual\xe2\x80\x99s\n          rights, benefits, or privileges.\n\n          When using social media or other means (e.g., online forms and questionnaires) to\n          collect information from individuals for any new or existing system of records, OIGs\n          generally must include a statement, on the form used to collect the information or on a\n          separate form that can be retained by the individual, about the OIG\xe2\x80\x99s authority to solicit\n          the information, the purpose for which the information is intended to be used, routine\n          uses, and any consequences of not providing the requested information (\xe2\x80\x9cPrivacy Act\n          statement\xe2\x80\x9d). 93 As a result, creating a new system of records for inbound social media\n          communications, or storing such communications in existing systems, creates a notice\n          requirement in the operation of a social media program.\n\n          It should be noted that the Privacy Act does not prohibit agencies from maintaining\n          records of fighting words, words that imminently incite illegal behavior, threats, and\n          obscenities, or other such statements that may be posted on an OIG blog or online\n          forum, so inbound communication of this nature can be retained and provided to\n          appropriate authorities. But without a legitimate law enforcement purpose, consent, or\n          statutory authority, the Privacy Act forbids the government from maintaining records\n          describing how an individual exercises his or her right First Amendment rights (e.g.,\n          speech, religion, assembly), unless certain exceptions apply.94 Therefore, collecting and\n\n\n\n\n92\n   For OIG investigatory files exempted solely under (k)(2), individuals have a right of access (except to information revealing a \n\nconfidential source) if the individual has been denied rights, benefits or privileges on the basis of such records. See id. at (k)(2). \n\n93\n   Id. at (e)(3).\n\n94\n   5 U.S.C. \xc2\xa7 552a(e)(7). This restriction applies even if the agency does not maintain or intend to maintain the information in a \n\n\xe2\x80\x9csystem of records\xe2\x80\x9d as defined by the Act. For a collection of cases, see OFFICE OF INFO. & PRIVACY, U.S. DEP\xe2\x80\x99T OF JUSTICE, GUIDE TO THE\n\nFREEDOM OF INFORMATION ACT 46-47 (2009), available at http://www.justice.gov/oip/foia_guide09.htm [hereinafter FOIA Guide]. \n\nNote that this restriction does not require or authorize an agency to destroy any records that it has been required or authorized\n\nto collect and retain under Federal law (e.g., the Federal Records Act), as outlined in the Records Management section infra. \n\n\n                                                                  20\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         storing a series of tweets or blog posts for official purposes\xe2\x80\x94even if relevant to the\n         OIG\xe2\x80\x99s mission\xe2\x80\x94may violate the Privacy Act.95\n\n         The Privacy Act also limits the extent to which an agency may disclose information from\n         its systems of records about individuals without their consent. Since one of the primary\n         OIG uses of new media is to disseminate or share information about its audit and\n         investigative work, it is critical that such disclosures (whether in tweets, posts, or blogs)\n         not violate the Privacy Act. When nonpublic information is to be communicated\n         through new media about, for example, an OIG investigation, steps should be taken to\n         protect the identity of the subject or others. This may require editing or redacting\n         written documents, editing or blurring video content, or taking other steps to protect\n         individuals\xe2\x80\x99 identities.\n\n         Each OIG\xe2\x80\x99s routine uses, already published as part of the SORN in the Federal Register,\n         will guide OIG in its disclosures, but OIGs using new media may wish to revisit and, if\n         appropriate, revise their routine uses and systems of records accordingly. 96\n\n         The E-Government Act of 2002 and Privacy Impact Assessments\n\n         New media fits within the 11 stated purposes of the E-Government Act, which include\n         promoting citizen participation in government; interagency collaboration in providing\n         government services; and transparency and accountability within the Federal\n         Government.97 OIGs must balance their pursuit of the E-Government\xe2\x80\x99s Acts goals,\n         however, against the privacy provisions contained in Section 208 of the E-Government\n         Act, designed to ensure sufficient protections for the privacy of personal information as\n         agencies engage citizens electronically. Section 208 establishes requirements for\n\n\n\n\n95\n   Under Section 552a(e)(7), agencies may maintain records of First Amendment activity if \xe2\x80\x9cexpressly authorized by statute or\nby the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law\nenforcement activity.\xe2\x80\x9d Nonetheless, some agencies are finding ways to monitor social media content in compliance with the\nPrivacy Act. For example, according to a Department of Homeland Security (DHS) SORN titled DHS/OPS-004 Publicly Available\nSocial Media Monitoring and Situational Awareness Initiative System of Records, 76 Fed. Reg. 5603 (Feb. 1, 2011), DHS is\nengaged in social media monitoring that is \xe2\x80\x9cnot designed\xe2\x80\x9d to collect PII but may collect it for \xe2\x80\x9ccertain narrowly tailored\ncategories\xe2\x80\x9d and may share the information in a situation involving life and death. In June 2012, the Navy issued a solicitation\nthat may help develop metrics tools for the public sector, allowing it to monitor the conversation \xe2\x80\x9csurrounding\xe2\x80\x9d the Navy. See\nSolicitation No. N00189-12-T-Z131, Social Media Monitoring, DEP\xe2\x80\x99T OF THE NAVY (2012), available at\nhttps://www.neco.navy.mil/upload/N00189/N0018912TZ13112TZ131.doc.\n96\n   To cite some examples of agencies that have amended their system of records to account for social media, the Consumer\nFinancial Protection Bureau has amended two of its systems of records to allow for disclosure to viewers of its social media and\nblog posts. See 77 FR 64962 (Oct. 24, 2012) and 77 FR 59386 (Sept. 27, 2012). The Federal Housing Finance Agency has\namended a system of records to account for individuals or organizations that provide information through social media, among\nother methods. See 77 FR 47641 (Aug. 9, 2012).\n97\n   44 U.S.C. \xc2\xa7 3501 note. Pub. L. No. 107-347, 116 Stat. 2899, is codified as amended at scattered sections 44 U.S.C.\n\n                                                              21\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          conducting, reviewing, and publishing Privacy Impact Assessments (PIAs), and for\n          posting privacy policies on Federal agency websites. 98\n\n          Government agencies are required to conduct PIAs for information technology (IT)\n          systems (e.g., software, hardware, Web development, cloud services) that will collect,\n          maintain or disseminate personally identifiable information (PII).99 This assessment\n          must take place before an agency develops in-house or procures from outside sources\n          such IT, or before it initiates a new online collection of information within the meaning\n          of the Paperwork Reduction Act (PRA), as amended, using such technology (e.g., new\n          online web form or public survey that collects PII).100\n\n          As explained in OMB Memorandum M-03-22, OMB Guidance for Implementing the\n          Privacy Provisions of the E-Government Act of 2002, a PIA evaluates and documents not\n          only how the agency will secure the PII, but also other nonsecurity issues potentially\n          affecting privacy, including the availability or adoption of any alternative processes or\n          technologies to mitigate such risks, and compliance with any other applicable legal,\n          regulatory, and policy requirements. 101 These additional privacy issues in the PIA\n          include, for example, the purpose and scope of the PII to be collected, maintained, or\n          disseminated by the technology; how the PII will be used or shared; how the agency will\n          provide individuals with notice and applicable consent or access rights, if any; how and\n          when PII will be retained or destroyed; and whether a system of records will be created\n          under the Privacy Act.\n\n          In addition, agencies are required to perform PIAs and update them as necessary where\n          a system change creates new privacy risks. This may occur\xe2\x80\x94\n\n          \xe2\x80\xa2\t When converting paper-based records to electronic systems;\n          \xe2\x80\xa2\t When user-authenticating technology (e.g., password, digital certificate, biometric)\n             is newly applied to an electronic information system accessed by members of the\n             public; or\n          \xe2\x80\xa2\t When OIGs work together on shared functions involving significant new uses or\n             exchanges of information in identifiable form.102\n\n\n98\n   Id. The E-Government Act also includes FISMA. For a discussion of the FISMA requirements, see infra Information Security\nsection.\n99\n   Id. The E-Government Act uses the term information in \xe2\x80\x9cidentifiable form,\xe2\x80\x9d which means \xe2\x80\x9cany representation of information\nthat permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect\nmeans.\xe2\x80\x9d\n100\n    The PRA is codified at 44 U.S.C. \xc2\xa7\xc2\xa73501-20; see also 5 C.F.R. Part 1320. In general, the PRA applies when an agency poses a\nset of identical questions to collect information from 10 or more persons (excluding agencies, instrumentalities, or Federal\nemployees). 44 U.S.C. \xc2\xa7 3501, et. seq. See infra Information Collection section.\n101\n    OMB M-03-22, supra note 81.\n102\n    Id. Attachment A.\n\n                                                               22\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          A PIA is not required when information relates to internal government operations or has\n          been previously assessed under an evaluation similar to a PIA. In addition, a PIA is not\n          required where privacy issues are unchanged, such as when government-run websites,\n          IT systems, or collections of information do not collect or maintain information in\n          identifiable form about members of the general public, or when there are minor\n          changes to a system or collection that do not create new privacy risks.\n\n          Adapted PIAs and Third-Party Websites or Apps\n\n          OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and\n          Applications, modified OMB Memorandum M-03-22\xe2\x80\x99s PIA guidance because Federal\n          agency use of third-party websites and apps raised \xe2\x80\x9cnew questions.\xe2\x80\x9d103 Specifically, M\xc2\xad\n          10-23 requires an \xe2\x80\x9cadapted PIA\xe2\x80\x9d when an agency\xe2\x80\x99s use of a third-party website or app\n          may make PII available to the agency. 104 Common examples include opening a social\n          media account, embedding a third-party app on an official government website, or\n          retaining a third-party developer to create and distribute an app for public use. M-10\xc2\xad\n          23 sets forth the information that an adapted PIA must contain, including:\n\n          \xe2\x80\xa2    The specific purpose of an agency\xe2\x80\x99s use of the third-party website or application;\n          \xe2\x80\xa2    Any PII that is likely to become available to the agency through such use;\n          \xe2\x80\xa2    Intended or expected use of the PII;\n          \xe2\x80\xa2    With whom it will share PII;\n          \xe2\x80\xa2    Whether, how, and for how long it will maintain the PII; and\n          \xe2\x80\xa2    How it will secure the PII it uses or maintains.\n\n          In addition, each use of a third-party website or app should be covered in a single,\n          separate PIA. However, a single PIA may cover multiple websites or apps if they are\n          \xe2\x80\x9cfunctionally comparable\xe2\x80\x9d and the agency practices \xe2\x80\x9csubstantially similar across each\n          website and application.\xe2\x80\x9d 105\n\n          Adapted PIAs should be tailored to address specific functions of a website or app but\n          need not be more elaborate than the OIG\xe2\x80\x99s other PIAs. OMB guidance emphasizes that,\n          regardless of the third-party website or app involved, agencies must limit the collection\n          of PII through the website or app to the minimum necessary to accomplish a purpose\n          required by statute, regulation or EO. OIGs must also examine the third party\xe2\x80\x99s own\n\n\n103\n    See Peter R. Orszag, M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, OFF. MGMT. & BUDGET (June\n25, 2010), available at http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf.\n104\n    The term \xe2\x80\x9cmake PII available\xe2\x80\x9d includes any agency action that causes PII to become available or \xe2\x80\x9caccessible\xe2\x80\x9d to the agency,\nwhether or not the agency actually solicits that PII, or collects and incorporates it into agency records. See id. (defining \xe2\x80\x9cmake\navailable\xe2\x80\x9d).\n105\n    Id.\n\n                                                               23\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          privacy policy and practices carefully to evaluate the privacy risks and determine if the\n          website or app is appropriate for OIG use.\n\n          OMB Memorandum M-10-23 also imposes specific public disclosure requirements\n          before an agency can use a third-party website or app. First, a PIA must be posted\n          publicly (e.g., on an OIG\xe2\x80\x99s official website with other PIAs), although portions that would\n          compromise IT security may be redacted. Second, a description of the usage of the\n          third-party website or app must be added to the agency\xe2\x80\x99s \xe2\x80\x9cprivacy policy\xe2\x80\x9d on its\n          website(s). 106 Third, when feasible, a \xe2\x80\x9cprivacy notice\xe2\x80\x9d must be posted on the third-party\n          website or app itself in locations where PII could be made available to the agency (e.g.,\n          an OIG social media profile or account).107 Fourth, the agency should apply\n          \xe2\x80\x9cappropriate branding\xe2\x80\x9d to its third-party page or app to help the public distinguish the\n          agency\xe2\x80\x99s activities from nongovernment actors. In addition, M-10-23 provides that the\n          agency\xe2\x80\x99s Senior Agency Office for Privacy (SAOP) be consulted in evaluating whether to\n          use a third-party website or app, including how many PIAs are required, as the SAOP has\n          a \xe2\x80\x9ccentral-policy making role\xe2\x80\x9d and \xe2\x80\x9coverall responsibility and accountability\xe2\x80\x9d for\n          ensuring privacy protection. 108\n\n          One final matter to consider when an OIG uses a third-party website or app is that the\n          public must be able to obtain comparable information and services from the OIG\n          through alternative sources. 109 In other words, the third-party website or app cannot be\n          the exclusive means for disseminating the information or soliciting or accepting\n          feedback. Thus, members of the public must be able to learn about an OIG\xe2\x80\x99s activities\n          or communicate with an OIG in other ways, such as through the OIG\xe2\x80\x99s own website.\n          Information about these alternative sources should be disclosed, for example, by linking\n          back to the OIG\xe2\x80\x99s home page in the agency\xe2\x80\x99s privacy notice on the third-party website or\n          app, as required by OMB\xe2\x80\x99s Memorandum M-10-23 and discussed earlier.\n\n          While the E-Government Act applies only to the government, an OIG needs to consider\n          what social media providers do with information that the public provides in connection\n          with OIG-sponsored activities. For example, some social media providers may try to\n          collect PII from consumers communicating with the government in order to market to\n          them. Some might try to collect consumer information, including photographs and\n\n106\n    Id. (describing what a Federal agency\xe2\x80\x99s privacy policy must contain, including, \xe2\x80\x9cwhen feasible,\xe2\x80\x9d links to the relevant privacy \n\npolicies of the third-party site or app). \n\n107\n    Id. The Privacy Notice is separate from the PIA, and discloses somewhat different information, including that the third-party \n\nsite or app is not a Government site or app, and that the individual may be providing information to nongovernmental third \n\nparties. The Privacy Notice must also link to the agency\xe2\x80\x99s official website and Privacy Policy. An agency \xe2\x80\x9cshould take all \n\npractical steps to ensure that its Privacy Notice is conspicuous, salient, clearly labeled, written in plain language, and \n\nprominently displayed at all locations where the public might make PII available to the agency\xe2\x80\x9d on the third-party site or app.\n\n108\n    Id. (citing Clay Johnson III, M-05-08, Designation of Senior Agency Officials for Privacy OFF. MGMT. & BUDGET (Feb. 11, 2005), \n\navailable at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-08.pdf). \n\n109\n    29 U.S.C. \xc2\xa7 794d.\n\n\n                                                                24\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n          videos, to sell to businesses without notifying or paying the creators of the information.\n          To ensure that consumers know that a third-party privacy policy governs whenever they\n          are on a third-party website, an OIG should consider using an \xe2\x80\x9cabout us\xe2\x80\x9d feature on all\n          its social media accounts. \xe2\x80\x9cAbout us\xe2\x80\x9d should explain the relationship between the social\n          media service and the OIG, and clarify which privacy policy applies and when. An OIG\n          also should consider using a \xe2\x80\x9cgoodbye\xe2\x80\x9d banner that pops up when a user leaves the OIG\n          website. This banner should feature the privacy policy of the third-party social media\n          website as users click to the next screen. Since users may also access OIG-sponsored\n          social media websites directly, and not through the OIG website, an OIG should make\n          sure that those OIG-sponsored sites contain clear language about the privacy policy that\n          applies. 110\n\n          Web Measurement and Customization Technologies or \xe2\x80\x9cCookies\xe2\x80\x9d\n\n          One particularly pertinent consideration with respect to third-party websites (as well as\n          OIG websites) is the use of \xe2\x80\x9ccookies,\xe2\x80\x9d which are \xe2\x80\x9csmall bits of software that are placed\n          on a web user\xe2\x80\x99s hard drive . . . [that] can track the activities of users over time and\n          across different websites.\xe2\x80\x9d 111 Consistent with the E-Government Act and recognizing\n          that cookies may be useful in \xe2\x80\x9cimprov[ing] federal services online through conducting\n          measurement and analysis of usage or through customization of the user\xe2\x80\x99s experience,\xe2\x80\x9d\n          OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and\n          Customization Technologies, clarified the circumstances and conditions under which an\n          agency may use cookies or other tracking technologies. 112 Agencies may now use\n          single-session web measurement and customization technologies, as well as\n          multisession technologies with and without PII, subject to certain limitations.113\n\n          Except for internal agency, law enforcement, national security, or intelligence activities,\n          an OIG may not use such cookies/tracking to\xe2\x80\x94\n\n          \xe2\x80\xa2\t Track user individual-level activity on the Internet outside of the website or app\n             from which the technology originates;\n\n\n110\n    See Disclaimer of Liability or Endorsement, OFF. OF GOV. ETHICS, http://www.oge.gov/About/Website-Policies/Disclaimer-of\xc2\xad\nLiability-or-Endorsement/ (last visited Aug. 16, 2013) (\xe2\x80\x9cWe strongly recommend that you review the policies of any outside \n\nwebsites you visit from this site, since you will be subject to the privacy, security, and accessibility policies of those other sites, \n\nonce you leave OGE.gov.\xe2\x80\x9d) [hereinafter OGE Disclaimer of Liability]. \n\n111\n    Jacob J. Lew, M-00-13, Privacy Policies and Date Collection on Federal Websites, OFF. MGMT. & BUDGET (June 22, 2000), \n\navailable at http://www.whitehouse.gov/omb/memoranda_m00-13. \n\n112\n    Peter R. Orszag, M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, OFF. MGMT. &\n\nBUDGET (June 25, 2010), available at http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf \n\n[hereinafter OMB M-10-22].\n\n113\n    Single-session technologies remember a user\xe2\x80\x99s online interactions using an identifier that is used only within a single session \n\nor visit, is not later reused, and is deleted immediately after the session ends. Multisession technologies remember user\xe2\x80\x99s \n\nonline interactions through multiple sessions, using a persistent identifier for each user.\n\n\n                                                                  25\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                     Department of Homeland Security\n\n                                     Washington, DC 20528 / www.oig.dhs.gov\n\n\n            \xe2\x80\xa2\t Share data obtained through such technologies with other departments or agencies,\n               without the user\xe2\x80\x99s consent;\n            \xe2\x80\xa2\t Cross-reference, without the user\xe2\x80\x99s consent, any data gathered through such\n               technologies against PII to determine individual-level online activity;\n            \xe2\x80\xa2\t Collect PII without the user\xe2\x80\x99s consent; or\n            \xe2\x80\xa2\t Perform any like usages so designated by OMB. 114\n\n            OMB M-10-22 further states that agencies may not use web measurement and\n            customization technologies if they do not allow the public to opt out, and should explain\n            in their privacy policies why they decided to use or not use such technologies so that\n            users can make an informed decision on whether to opt out.\n\n            While OMB M-10-22 establishes a baseline for Federal agency compliance, OIGs have\n            added considerations. A unique feature of many OIG websites is a page to allow the\n            public to submit allegations of potential fraud, waste, and abuse relating to Federal\n            programs and operations. Those reporting pages often give the user the option to\n            submit information anonymously. Some OIGs make it clear that website and email\n            hotline complaints are expressly not given confidentiality. However, when third-party\n            JavaScript code for web measurement and customization is embedded on a website, a\n            record is created that tracks, at a minimum, the IP address of individuals visiting each\n            page. Most of these tools track users\xe2\x80\x99 actions to a granular level that not only identifies\n            that they visited the main website, but also stores and tracks the steps that the users\n            took when clicking through the website.\n\n            As a result, an individual attempting to submit information anonymously regarding\n            suspected fraud, waste, or abuse may expect anonymity, but when correlated with\n            other data, this tracking may be able to identify the individual. For instance, IP address\n            information can provide relatively accurate geolocation information about the user.\n            Furthermore, if an individual is logged into a social media service or an online email\n            service that has an information sharing agreement with the third-party website\n            measurement service used on the fraud submission page, it is foreseeable that sufficient\n            information can be correlated to permit the social media service, the email service, or\n            the third-party web measurement service (or all three) to identify the complainant.\n\n            Ultimately, the use of this third-party technology in OIG web pages creates a scenario\n            where users believe that they are anonymously submitting information but are in fact\n            being tracked both by the third-party website measurement service and possibly also by\n            other business entities with which the OIG has not entered a data use agreement. The\n            information could be held by such private companies for indefinite periods of time,\n\n\n114\n      OMB M-10-22, supra note 112.\n\n                                                      26\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         based upon their individual privacy policies, and disclosed voluntarily or even be subject\n         to subpoena should the private entity be embroiled in litigation.\n\n         Finally, as with third-party websites and apps, an OIG must ensure that individuals who\n         wish to avoid tracking technologies can obtain comparable information or services\n         without such tracking, whether on the OIG\xe2\x80\x99s own website or on a third-party website or\n         app used by the OIG. For example, OIGs may allow users to opt out and access the\n         information anyway, or they may refer users to an alternate OIG home page or other\n         website that does not contain the tracking technology. 115\n\n         Freedom of Information Act\n\n         Another information law issue that has arisen with respect to social media is how social\n         media will affect OIGs\xe2\x80\x99 responsibilities under the FOIA. 116 The FOIA provides individuals\n         with a right, enforceable in court, to request and obtain access to Federal agency\n         records, except to the extent that records or portions of records are protected from\n         public disclosure by a statutory exemption or exclusion. The E-FOIA amendments of\n         1996 expanded the definition of \xe2\x80\x9crecords\xe2\x80\x9d to include \xe2\x80\x9cany information that would be an\n         agency record subject to the requirements of this section when maintained by an\n         agency in any format, including an electronic format.\xe2\x80\x9d 117\n\n         Government information posted on OIG websites or via third-party social media\n         websites becomes part of the public domain upon its posting. This voluntary disclosure\n         of information outside of the OIG may compromise the ability to withhold such\n         information in the future under the FOIA. In addition, third-party comments may be\n         subject to the FOIA. The Office of Government Ethics (OGE) provides the following\n         disclaimer about what it may be required to provide under FOIA:\n\n                   OGE may be legally required, for example, by the Freedom of Information Act or\n                   a court order, to post documents generated by third parties that may contain\n                   offensive, defamatory, or misleading or otherwise inappropriate content. The\n                   OGE disclaims responsibility for the content of these documents.118\n\n         Any information created on an internal social media page would be subject to the FOIA.\n         This information is treated the same as emails, drafts, reports, and the like, which are\n         created electronically and are subject to the FOIA. In this case, however, because the\n\n\n115\n    Id.\n116\n    5 U.S.C. \xc2\xa7 552. FOIA presents social media issues with respect to both information and privacy, and records management. \n\nSee infra Records Management section. \n\n117\n    Id. at (f)(2).\n\n118\n    See OGE Disclaimer of Liability, supra note 110. \n\n\n                                                              27\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          records have not been distributed to the public, statutory exemptions could still be\n          applied to the records.\n\n          A related issue is whether an OIG may accept FOIA requests through social media\n          outlets. The FOIA states that an agency shall make records promptly available to any\n          person who "reasonably describes" the records sought and requests them in accordance\n          with the agency\'s published FOIA regulations. 119 Depending on the applicable\n          regulations, it may be acceptable to receive requests using new media. The request\n          only needs to be specific enough to enable an agency employee familiar with the\n          subject area to locate the record with a \xe2\x80\x9creasonable amount of effort.\xe2\x80\x9d120 OIGs must be\n          familiar with their published FOIA regulations and make a determination if requests\n          made through social media would be accepted.\n\n          Finally, it should be noted that OIGs are not required to provide FOIA requesters with\n          documents that are already available to the public. 121 This includes information on the\n          OIG\xe2\x80\x99s website and any publicly accessible social media content.\n\n          Information Collection\n\n          In addition to the government\xe2\x80\x99s responsibilities under the Privacy Act, E-Government\n          Act, and FOIA, an OIG also should be mindful of two laws that may come into play when\n          it receives information from the public. Before collecting information from the public,\n          an OIG needs to consider the PRA and the Federal Advisory Committee Act (FACA), as\n          amended.122\n\n          Paperwork Reduction Act\n\n          One of the PRA\xe2\x80\x99s goals is to reduce information collection burdens on the public. 123 To\n          help achieve that goal, the PRA requires an agency to receive OMB approval before\n          collecting information in any situation where 10 or more respondents are involved and\n          the questions are standardized in nature. 124 The process to obtain approval involves\n          several steps, including publishing a Federal Register notice and preparing an\n          information collection request package. 125\n\n\n\n\n119\n    5 U.S.C. \xc2\xa7 552(a)(3)(A). \n\n120\n    See FOIA Guide, supra note 94.\n\n121\n    Id. at 55. \n\n122\n    5 U.S.C. app. 2.\n\n123\n    44 U.S.C.\xc2\xa7 3506(b)(1)(A). \n\n124\n    44 U.S.C. \xc2\xa7 3502(3) (defining the term "collection of information"). \n\n125\n    44 U.S.C. \xc2\xa7 3507.\n\n\n                                                                 28\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         The PRA applies to the collection of information \xe2\x80\x9cregardless of form or format.\xe2\x80\x9d 126 It\n         follows that the PRA applies to the collection of information through the use of new\n         media and web-based interactive technologies. However, there are exceptions: OMB\n         memorandum Social Media, Web-Based Interactive Technologies, and the Paperwork\n         Reduction Act explains circumstances in which the PRA does not apply to social\n         media. 127 For example, an OIG\xe2\x80\x99s use of blogs, wikis, and other social networks, to\n         \xe2\x80\x9cpublish\xe2\x80\x9d solicitations for public comment or conduct virtual public meetings may fall\n         under the PRA\xe2\x80\x99s \xe2\x80\x9cgeneral solicitations\xe2\x80\x9d exception.128 This exception covers facts or\n         opinions submitted in response to general solicitations of comments from the public,\n         published in the Federal Register or other publications, regardless of the form or format,\n         provided that no person is required to supply specific information pertaining to the\n         commenter, other than that necessary for self-identification, as a condition of an\n         agency\xe2\x80\x99s full consideration of the comment.\n\n         When seeking comments, an OIG should pose open-ended questions that solicit broad,\n         unstructured answers, and avoid asking specific questions and disseminating surveys\n         with identical questions. For example, an OIG may allow the public the opportunity to\n         comment on discussion topics on blogs or other social media websites but should avoid\n         posting web polls and satisfaction surveys that ask specific questions. An OIG may\n         engage in brainstorming activities involving social media, such as crowdsourcing, but\n         should avoid collecting any information beyond name and email or mailing address (e.g.,\n         age, sex, race/ethnicity, employment, or citizenship status). 129 Generally, wikis will not\n         trigger the PRA because they \xe2\x80\x9cmerely facilitate interactions between agencies and the\n         public.\xe2\x80\x9d 130 In addition, wikis and other web-based collaboration tools that are limited to\n         internal agency use are exempt from the PRA, as are interagency wikis such as OMB\n         MAX. 131 Finally, rankings, ratings, votes, and contests to determine a winner do not\n         implicate the PRA unless they elicit a structured response (i.e., a series of questions that\n         entrants must answer to take part in the contest), or if an OIG collects demographic\n         information about the entrants.132\n\n\n\n\n126\n    44 U.S.C. \xc2\xa7 3502(3)(A); 5 C.F.R. \xc2\xa7 1320.3(h). \n\n127\n     Cass R. Sunstein, Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction Act, OFF. MGMT. & BUDG. \n\n(Apr. 7, 2010), available at \n\nhttp://www.whitehouse.gov/sites/default/files/omb/assets/inforeg/SocialMediaGuidance_04072010.pdf [hereinafter OMB \n\nPRA Memo]. \n\n128\n    5 C.F.R. \xc2\xa7 1320.3(h)(4). \n\n129\n    \xe2\x80\x9cCrowdsourcing\xe2\x80\x9d is \xe2\x80\x9cthe practice of obtaining needed services, ideas, or content by soliciting contributions from a large \n\ngroup of people and especially from the online community rather than from traditional employees or suppliers.\xe2\x80\x9d MERRIAM\xc2\xad\nWEBSTER (2013). \n\n130\n    OMB PRA Memo, supra note 127. \n\n131\n    Id.\n132\n    Id.\n\n                                                              29\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n         Federal Advisory Committee Act\n\n         The FACA governs the government\xe2\x80\x99s use of Federal \xe2\x80\x9cadvisory committees.\xe2\x80\x9d A Federal\n         advisory committee is a group established by statute, established or used by the\n         President, or established or used by a Federal agency to obtain advice or\n         recommendations. 133 The Federal advisory committee process should generally be used\n         when an OIG wants to get advice or recommendations from a group of people who are\n         not solely Federal employees and who have an expertise or perspective which can\n         provide value to the decision making process.\n\n         Since new media may provide a venue for open meetings and an avenue for public\n         inspection of meeting records, an OIG\xe2\x80\x99s new media use may trigger FACA. For example,\n         crowdsourcing, such as that used by www.challenge.gov or www.ideascale.com, may\n         inadvertently lead to a FACA issue. It is important to be aware of this because FACA\xe2\x80\x99s\n         administrative requirements are burdensome: If FACA applies, an agency is required,\n         among other things, to have a charter, publish notification of meetings in the Federal\n         Register, and make transcripts available to the public. 134\n\n         Unless an OIG wishes to form an advisory committee under FACA, efforts should be\n         made to ensure that the parties participating in meetings vary, that a consensus is not\n         sought from participants, 135 and that the function of the group does not change to the\n         point that an OIG begins to use the group as a source of advice or recommendations.136\n\n         Records Management\n\n         When collecting or maintaining information created by social media, an OIG should be\n         aware of its recordkeeping responsibilities. All Federal agencies are required by law to\n         manage their records. 137 The Federal Records Act of 1950 and its implementing\n         regulations make each Federal agency responsible for determining which records need\n         to be preserved. 138\n\n\n133\n    5 U.S.C. app. 2, \xc2\xa7 3(2). A committee consisting solely of Federal employees is excluded from the definition.\n\n134\n    5 U.S.C. App. 2, \xc2\xa7\xc2\xa7 9-11.\n\n135\n    The intent is to obtain information or viewpoints from individual attendees as opposed to advice, opinions or\n\nrecommendations from the group acting in a collective mode. The more static the group composition (i.e., the same attendees \n\nat each meeting), the more likely a FACA issue may arise. \n\n136\n    See GSA, When is Federal Advisory Committee Act (FACA) Applicable?, available at \n\nhttp://www.gsa.gov/portal/content/100794.\n\n137\n    44 U.S.C. \xc2\xa7 3301 (defining a record, in part, as \xe2\x80\x9call books, papers, maps, photographs, machine readable materials, or other \n\ndocumentary materials, regardless of physical form or characteristics, made or received by an agency of the United States \n\nGovernment under Federal law or in connection with the transaction of public business and preserved or appropriate for \n\npreservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions,\n\nprocedures, operations or other activities of the Government or because of the informational value of the data in them.\xe2\x80\x9d).\n\n138\n    36 C.F.R. \xc2\xa7 1222.22. \n\n\n                                                               30\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         Whether something is a record that must be managed and preserved depends not on\n         the form of the record, but on the content. 139 Not all electronic data will constitute a\n         record that requires preservation, just as not all papers are records for records\n         management purposes. National Archives and Records Administration (NARA) guidance\n         on records management for social media provides a nonexhaustive list of questions that\n         may help in determining a record\xe2\x80\x99s status:\n\n         \xe2\x80\xa2    Is the information unique and not available anywhere else?\n         \xe2\x80\xa2    Does it contain evidence of an agency\xe2\x80\x99s policies, business, mission, etc.?\n         \xe2\x80\xa2    Is this tool being used in relation to the agency\xe2\x80\x99s work?\n         \xe2\x80\xa2    Is use of the tool authorized by the agency?\n         \xe2\x80\xa2    Is there a business need for the information? 140\n\n         NARA guidance indicates that if the answer to any of these questions is yes, then the\n         content is likely to be a Federal record.141 However, content that is duplicated across\n         multiple platforms or held elsewhere in an agency\xe2\x80\x99s recordkeeping system may be\n         considered a nonrecord. For example, NARA states that reposted news items that are\n         captured and managed elsewhere may be considered nonrecords.142 A NARA draft\n         bulletin issued in June 2013 states that content on social media is likely a Federal\n         record. 143\n\n         To manage records created through new media, NARA advises that it may be helpful to\n         focus on three key areas: policy, records scheduling, and preservation. 144 A records\n         management policy for new media should provide guidance on identifying what\n         constitutes a record in a new media platform (including user-generated content) and\n         how such records are to be captured and managed. Once an OIG has identified new\n         media content as records, it must schedule the records or apply an existing appropriate\n         disposition authority. In determining if an existing schedule or a new schedule is\n         appropriate, an OIG should consider whether the new media platform provides\n         enhanced processes, functionality, or other features, and for how long the record must\n         be maintained. The ways in which an OIG chooses to preserve records created through\n         the use of new media will vary based on the platform.\n\n         Some of the options that NARA suggests to capture content include (1) saving all\n         content with associated metadata; (2) using web crawling and software to store\n139\n    Guidance on Managing Records in Web 2.0/Social Media Platforms, NARA Bull. 2011-02, NAT\xe2\x80\x99L ARCHIVES AND RECORDS ADMIN.\n\xc2\xa7 4 (Oct. 10, 2010) [hereinafter NARA Bull. 2011-02]. This bulletin will expire on October 31, 2013.\n140\n    Id.\n141\n    Id.\n142\n    Id.\n143\n    NARA Bulletin 2013-XX, Guidance on Managing Social Media Records, NAT\xe2\x80\x99L ARCHIVES AND RECORDS ADMIN. (June 26, 2013). This \n\ndraft bulletin will supersede NARA Bull. 2011-02 but has not yet been finalized.\n\n144\n    NARA Bull. 2011-02 at \xc2\xa7 6, supra note 139. \n\n\n                                                             31\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n         content; or (3) using web capture tools to create local versions of websites and\n         migrating content to other formats.145 NARA\xe2\x80\x99s latest guidance on preserving social\n         media records provides a detailed list of available tools and software that could help\n         Federal agencies in capturing social media content.146 This document also states that\n         screenshots do not comply with NARA\xe2\x80\x99s transfer guidance for permanent web content\n         records, as they only create a picture of the content and do not preserve the content\xe2\x80\x99s\n         metadata and functionality. 147\n\n         Even when records are created and maintained on a third-party platform, an OIG is still\n         responsible for being able to identify and retrieve them. Yet an OIG\xe2\x80\x99s responsibility to\n         manage its new media records can be challenging when records reside with a third\n         party. NARA advises agencies to include a records management clause when\n         negotiating a terms of service (TOS) agreement.148 The TOS should underscore OIG\xe2\x80\x99s\n         responsibility to manage Federal records created through the use of the new media\n         platform. NARA provides the following general clause:\n\n                   The Agency acknowledges that use of contractor\xe2\x80\x99s site and services may require\n                   management of Federal records. Agency and user-generated content may meet\n                   the definition of Federal records as determined by the agency. If the contractor\n                   holds Federal records, the agency and contractor must manage Federal records\n                   in accordance with all applicable records management laws and regulations,\n                   including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33),\n                   and regulations of the National Archives and Records Administration (NARA) at\n                   36 CFR Chapter XI Subchapter B. Managing the records includes, but is not\n                   limited to, secure storage, retrievability, and proper disposition of all federal\n                   records including transfer of permanently valuable records to NARA in a format\n                   and manner acceptable to NARA at the time of transfer. The agency is responsible\n                   for ensuring that the contractor is compliant with applicable records management\n                   laws and regulations through the life and termination of the contract.149\n\n         NARA instructs that the use of this clause is \xe2\x80\x9chighly recommended,\xe2\x80\x9d but it is not\n         required, and there may be other ways to comply with the law. The key is to address\n         records management requirements in advance so that TOS terms can be negotiated\n         upfront.\n\n\n\n\n145\n    Id. \n\n146\n    White Paper on Best Practice for the Capture of Social Media Records, NAT\xe2\x80\x99L ARCHIVES AND RECORDS ADMIN., at 10-20 (May 2013).\n\n147\n    Id. at 21.\n\n148\n    NARA Bull. 2011-02, at \xc2\xa7 7 supra note 139. See infra Procurement and Terms of Service Agreements section for more \n\ninformation. \n\n149\n    Id.\n\n                                                               32\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          Even if an OIG determines that content created through the use of new media does not\n          constitute a Federal record, records management responsibilities still must be met.\n          Specifically, electronic nonrecord materials must be readily identified and segregable\n          from records, and nonrecord materials should be purged when no longer needed.150\n          When considering using any new media, it is advisable to contact records management\n          officers for their assistance in ensuring that all records management responsibilities are\n          met.\n\n          Human Resources\n\n          Information and privacy issues may seem unrelated to human resources (HR), but in the\n          world of social media they often connect. For example, when a hiring official prints out\n          an applicant\xe2\x80\x99s social media social profile pages as part of the application process, this\n          raises Privacy Act and records management issues. This section cover such issues as\n          recruiting and hiring; new media passwords; workplace discrimination, harassment and\n          retaliation claims; and employee actions that may give rise to adverse actions, such as\n          for social media activities that undermine or adversely affect an OIG\xe2\x80\x99s mission. The\n          following discussion briefly illustrates these areas of concern.\n\n          Recruiting and Hiring\n\n          Social media has become an increasingly popular way to recruit top talent to both\n          government and the private sector. OIGs can use social networking websites to\n          advertise jobs or answer questions about job postings on the Federal Government\'s\n          official jobs website, USAjobs.gov. However, the recruiting and hiring process can bring\n          problems if OIG staff are unaware of how to properly use social media. For example,\n          some employers have started requesting applicants\xe2\x80\x99 and current employees\xe2\x80\x99 passwords\n          to new media websites. At least four states have passed legislation making such\n          requests illegal, and legislation is pending in other states.151 In the Federal context, this\n          practice would not only be impracticable but also likely illegal.152\n\n          We are not aware of a law that prohibits a hiring official from viewing an applicant\xe2\x80\x99s\n          publicly accessible new media accounts as part of the hiring process. Information\n          posted online for public viewing may be perceived simply as repackaged public\n          information. In fact, depending on how and when it is done, an evaluation of an\n          applicant\xe2\x80\x99s Internet footprint may be a useful component in determining his or her\n\n150\n    36 C.F.R. \xc2\xa7 1222.16. \n\n151\n    For a collection of state legislation that would prohibit requesting or requiring social networking passwords of applicants,\n\nstudents, or employees, see Employer Access to Social Media Usernames and Passwords, 2012 Legislation, Nat\xe2\x80\x99l Conference of\n\nState Legislatures (Jan. 17, 2013), available at http://www.ncsl.org/issues-research/telecom/employer-access-to-social-media\xc2\xad\npasswords.aspx.\n\n152\n    See supra First Amendment and Fourth Amendment sections.\n\n\n                                                               33\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n\n                                             Department of Homeland Security\n\n                                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n          fitness for Federal employment. However, OIGs should be aware that viewing an\n          applicant\xe2\x80\x99s new media activity may lead to risks, including allegations of a Privacy Act\n          violation or discrimination in the hiring process. The D.C. Circuit has held that merely\n          performing an Internet search about an applicant would not constitute a Privacy Act\n          violation, even if the searches were related to a person\xe2\x80\x99s First Amendment activities.153\n          According to the D.C. Circuit, a violation occurs when a record is created; for instance,\n          when there is a print-out or written annotation.154\n\n          A general social media search may reveal both factual and inaccurate information about\n          a candidate. When information from social media websites is used to screen or openly\n          eliminate a candidate from consideration, particularly if a decision to eliminate is based\n          solely on the data found through social media content, an OIG is exposed to liability.\n          For example, a hiring official\xe2\x80\x99s viewing of an applicant\xe2\x80\x99s social media profile may reveal\n          that an applicant is pregnant, practices a certain religion, or graduated from college in a\n          certain year. This is problematic if the applicant is not selected because the government\n          cannot discriminate against an employee or applicant with respect to the terms,\n          conditions, or privileges of employment on the basis of a protected class such as race,\n          color, religion, sex, national origin, age, disability, marital status, or political\n          affiliation. 155\n\n          To defend against potential discrimination claims, an OIG manager who evaluates an\n          applicant\xe2\x80\x99s new media activities and declines to interview or hire an applicant based on\n          those activities should carefully document the basis for the decision. OIGs should\n          carefully consider their reasons for considering the new media content objectionable\n          and whether those reasons raise concerns that are relevant to the hiring process. For\n          instance, they should ask themselves whether they disagree with the content for\n          legitimate work-related reasons, or rather just do not approve of the views expressed.\n          Does the applicant\xe2\x80\x99s speech indicate a suitability or background check issue? Does the\n          speech cast doubt on whether the applicant would effectively promote the efficiency of\n          OIG service? While answering these questions, it is important to remember an\n          applicant\xe2\x80\x99s rights under the Privacy Act, not to mention antidiscrimination laws. 156\n\n\n153\n    Gerlich v. Dept. of Justice, 828 F. Supp. 2d 284, 293-94 (D.D.C. 2011) (noting that, although \xe2\x80\x9cthe Department of Justice\xe2\x80\x99s use\nof political or ideological affiliation in civil service hiring does not, in and of itself, violate the Privacy Act,\xe2\x80\x9d it is \xe2\x80\x9cinappropriate,\nand could conceivably be the basis of some other claim\xe2\x80\x9d).\n154\n    Id.\n155\n    Discrimination on these bases is prohibited by one or more of the following statutes: 5 U.S.C. \xc2\xa7 2302(b)(1);\n29 U.S.C. \xc2\xa7\xc2\xa7 206(d), 631, 633a, 791; and 42 U.S.C. \xc2\xa7 2000e-17.\n156\n    Section (e)(7) of the Privacy Act forbids agencies from maintaining records about how individuals express their First\nAmendment rights (subject to certain exceptions). See supra First Amendment section. Job applicants may file a claim for\ndamages if the making of such a record \xe2\x80\x9chad an adverse effect on them as required by subsection (g)(1)(D) of the Act," Albright\nv. United States, 631 F.2d 915, 921 (D.C. Cir. 1980), and \xe2\x80\x9c\'the agency acted in a manner which was intentional or willful.\'" Id.\n(quoting 5 U.S.C. \xc2\xa7 552a(g)(4)). In the D.C. Circuit, incorporation into a system of records is not necessary to trigger the Privacy\nAct. Id.\n\n                                                                    34\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n          Finally, keep in mind that the sources considered in the hiring process may be\n          considered agency records for Privacy Act, records management, and other purposes.\n          Therefore, anyone authorized to use social media for hiring purposes should consult the\n          OIG\xe2\x80\x99s privacy officer, counsel, and recordkeeping officer regarding potentially creating a\n          record that is retrievable under the Privacy Act.\n\n          Workplace Discrimination Claims\n\n          In addition to potential pitfalls in the recruiting and hiring sphere, viewing the new\n          media activity of current employees may lead to claims of discrimination, so OIGs should\n          caution supervisors about the risks. Supervisors who share a social network with\n          employees should not probe to find certain information through social media. For\n          example, a supervisor who is connected on a social media network with an employee\n          who posts about his or her serious health conditions inadvertently may learn about that\n          employee\xe2\x80\x99s health. This is lawful. 157 However, the supervisor should not probe into\n          health issues or conduct an Internet search on the employee in a way that likely will\n          reveal genetic information to avoid claims of discrimination based on the Genetic\n          Information Nondiscrimination Act of 2008, as amended. 158 It may be difficult for an\n          OIG to argue successfully that it did not take action against an employee based on illegal\n          grounds, if it is shown during discovery that a deciding official has viewed an employee\xe2\x80\x99s\n          new media content purposefully to find such information.\n\n          Even if supervisors or management do not actively search new media for information\n          about employees, they may become aware of information about an employee\n          inadvertently through other employees\xe2\x80\x99 social media networks. Coworkers linked on\n          social media platforms may print each other\xe2\x80\x99s postings and may choose to share them\n          with management. OIGs should make sure that employees know to involve HR\n          professionals and counsel regarding any allegation made involving social media.\n\n          Harassment and Hostile Work Environment Claims\n\n          A form of employment discrimination that violates Title VII of the Civil Rights Act of 1964\n          (Title VII), as amended,159 the Age Discrimination in Employment Act of 1967, as\n          amended,160 and the Americans with Disabilities Act of 1990, as amended,161\n          harassment is unwelcome conduct that is based on race, color, religion, sex (including\n          pregnancy), national origin, age, disability, or genetic information. Since 1986,\n\n157\n    See 29 C.F.R. \xc2\xa7 1635.8(b)(1)(ii)(D). This social media situation is explicitly covered under the \xe2\x80\x9cinadvertent acquisition of\n\ngenetic information\xe2\x80\x9d exception to the prohibition on requesting, requiring, or purchasing genetic information. \n\n158\n    42 USCS \xc2\xa7 2000ff-1, 29 C.F.R. \xc2\xa7 1635.8(a).\n\n159\n    42 U.S.C. \xc2\xa7\xc2\xa7 2000e, et seq.\n\n160\n    29 U.S.C. \xc2\xa7\xc2\xa7 621-34.\n\n161\n    42 U.S.C. \xc2\xa7\xc2\xa7 12101, et. seq.\n\n\n                                                                 35\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          sufficiently \xe2\x80\x9csevere or pervasive\xe2\x80\x9d workplace harassment that \xe2\x80\x9calter[s] the conditions of\n          [the victim\'s] employment and create[s] an abusive working environment\xe2\x80\x9d has been\n          recognized as an actionable claim against an employer under Title VII.162 Known as a\n          \xe2\x80\x9chostile work environment\xe2\x80\x9d claim,163 it is evaluated by \xe2\x80\x9clooking at all the circumstances\xe2\x80\x9d\n          to determine whether the conduct was sufficiently severe or pervasive. 164 A single\n          incident of harassment generally does not substantiate a hostile work environment.165\n\n          OIGs may not have considered whether social media activities could contribute to a\n          hostile work environment claim, perhaps assuming that an abusive working\n          environment must occur at the office to be actionable. But courts are examining\n          whether the totality of the circumstances test may contemplate harassment that occurs\n          after hours or away from the office. Federal circuit courts are split on this issue, with\n          the First, Second, Seventh, and Eighth Circuit Courts of Appeals indicating that\n          harassment conducted outside the workplace counts towards the totality of the\n          circumstances for purposes of a hostile work environment claim.166 Courts may\n          consider social media harassment as part of the totality of the circumstances test.167\n\n          Arguably, as the concept of the federal workplace expands to include more teleworking,\n          professional and personal boundaries increasingly blur, and employees increasingly use\n          social media both for personal and professional purposes, an OIG\xe2\x80\x99s potential liability\n          under Title VII may grow. This is an area of law to follow.\n\n          Retaliation Claims\n\n          Retaliation against an employee or applicant for making a protected disclosure is\n          prohibited by Federal law. 168 In addition, the Federal Government cannot retaliate\n          against an employee or applicant because that individual exercises his or her rights\n          under any of the Federal antidiscrimination or whistleblower protection laws. 169 If an\n\n162\n    Meritor Sav. Bank v. Vinson, 477 U.S. 57, 64-67 (1986).\n163\n    Id. at 66.\n164\n    Harris v. Forklift Systems, Inc., 510 U.S. 17, 23 (1993).\n165\n    Faragher v. City of Boca Raton, 524 U.S. 775, 778 (1998) (\xe2\x80\x9c[S]imple teasing,\xe2\x80\x99 offhand comments, and isolated incidents\n(unless extremely serious) will not amount to discriminatory changes in the \xe2\x80\x98terms and conditions\xe2\x80\x99 of employment.\xe2\x80\x99\xe2\x80\x9d (quoting\nOncale v. Sundowner Offshore Serv., Inc., 523 U.S. 75, 81-82 (1998))).\n166\n    See Jeremy Gelms, High-Tech Harassment: Employer Liability Under Title VII for Employee Social Media Misconduct, 87\nWash. L. Rev. 249, 259 (2012) (citing Crowley v. L.L. Bean, Inc., 303 F.3d 387, 409\xe2\x80\x9310 (1st Cir. 2002); Ferris v. Delta Airlines, Inc.,\n277 F.3d 128, 135 (2d Cir. 2001); Lapka v. Chertoff, 517 F.3d 974, 983 (7th Cir. 2008); Doe v. Oberweis Dairy, 456 F.3d 704, 715 \n\n(7th Cir. 2006); Dowd v. United Steelworkers of Am., 253 F.3d 1093, 1102 (8th Cir. 2001)).\n\n167\n    Id. at 271 (citing Blakey v. Continental Airlines, Inc., 751 A.2d 538 (2000) (\xe2\x80\x9cAlthough the electronic bulletin board may not \n\nhave a physical location [at the office] it may nonetheless have been so closely related to the workplace environment . . . that a \n\ncontinuation of harassment on the forum should be regarded as part of the workplace.\xe2\x80\x9d); Amira-Jabbar v. Travel Services, Inc., \n\n726 F. Supp. 2d 77 (2010) (social media harassment sufficiently work-related to be considered among all the circumstances)). \n\n168\n    5 U.S.C. \xc2\xa7 2302(b)(8). \n\n169\n    5 U.S.C. \xc2\xa7 2302(b)(9). \n\n\n                                                                 36\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n         OIG learns about an employee\xe2\x80\x99s complaint of retaliation, either by monitoring the\n         employee\xe2\x80\x99s social media activity on a government computer or through a social network\n         that another OIG employee shares with the aggrieved employee, the OIG may be\n         vulnerable to a retaliation claim if the employee later suffers an adverse employment\n         decision. The Whistleblower Protection Enhancement Act of 2012 170 recently expanded\n         its protection of Federal employees from reprisal if they disclose misconduct to\n         coworkers or supervisors, disclose the consequences of a policy decision, or, under\n         certain conditions, blow the whistle while carrying out their job duties \xe2\x80\x93 even if they are\n         not the first person to disclose misconduct.171 Therefore, a tweet about retaliation or\n         even a message through a social media account to a supervisor or coworker, made on or\n         off duty, may constitute a protected disclosure under the Whistleblower Protection Act.\n\n         Taking Adverse Action\n\n         At some point, an OIG may learn through social media that an employee has violated\n         the law or OIG policy. For instance, an employee may have disclosed nonpublic\n         information or posted photos from a hockey game that the employee attended while on\n         sick leave. 172 Or perhaps an employee posted or tweeted excessively while on duty, or\n         violated another workplace policy involving social media. For whatever reason, an OIG\n         may wish to discipline the employee based on information gleaned from social media.\n\n         Federal agencies are starting to include social media activities in disciplinary actions, but\n         it is wise to be cautious. 173 Federal law permits an agency to take adverse action against\n         an employee \xe2\x80\x9conly for such cause as will promote the efficiency of the service,\xe2\x80\x9d\n         including circumstances involving off-duty activities. 174 Thus, it is important that an OIG\n         establish clear, predetermined standards as to when private misconduct in connection\n         with the use of social media rises to the level of misconduct that adversely affects an\n         OIG\xe2\x80\x99s efficiency of service.\n\n         Since \xe2\x80\x9cagenc[ies] [have] the burden of proof to establish that [an] employee\xe2\x80\x99s discipline\n         will \xe2\x80\x98promote the efficiency of the service,\xe2\x80\x99\xe2\x80\x9d 175 OIG policies should give examples of\n         actions considered to be misuse of social media. In addition, they should spell out the\n         discipline that will be administered in response to such actions and how such discipline\n         promotes the efficiency of the OIG service. When defining social media misconduct, it is\n\n170\n    Pub. L. No. 112-199, 126 Stat. 1465 (2012).\n\n171\n    Id. 5 U.S.C. \xc2\xa7 2302(f).\n\n172\n    See Hunter v. Dep\xe2\x80\x99t of Navy, 2011 Merit Systems Protection Board (MSPB) Lexis 3159 (May 20, 2011) (allegation that Navy \n\npolice officer appellant called in sick but posted information on Facebook showing that he had watched the Superbowl).\n\n173\n    See Vidal v. Army, 2011 MSPB Lexis 4788 (Aug. 5, 2011) (involving agency removal of employee because of alleged anxiety-\n\nproducing comment on Facebook that was reported at work); Shannon v. VA, 2013 MSBP Lexis 563 (Jan. 31, 2013) (affirming \n\nagency decision to remove employee for exchanging personal Facebook messages with veteran resident, in violation of policy). \n\n174\n    5 U.S.C. \xc2\xa7 7513(a). \n\n175\n    Doe v. Dep\xe2\x80\x99t of Justice, 565 F.3d 1375, 1379 (Fed. Cir. 2009).\n\n\n                                                             37\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          critical that OIGs include only actions that would impact job performance directly and in\n          obvious ways. 176 That said, the Merit Systems Protection Board and the Federal Circuit\n          generally have held that off-duty activities can lead to discipline when they could cause\n          the public or coworkers to question or lose confidence in the Federal agency\n          involved.177\n\n          One of the factors making social media so complicated is that it requires employees to\n          decide among apparently simple options, some of which may pose problems. For\n          example, regarding employment status, employees may choose to identify themselves\n          on their personal social media websites as employees of specific OIGs, generically as a\n          Federal employee or by profession, or not list their employment status at all.\n          Employees who identify their specific workplace open themselves up to potential ethics\n          and Hatch Act violations, if their posts could be construed as official endorsements or\n          improper political activity. Some senior or publicly known employees may be so well-\n          known that they cannot successfully hide their employer and position, practically\n          eliminating the chances of successfully maintaining a purely \xe2\x80\x9cpersonal\xe2\x80\x9d social media\n          account. As for privacy settings, employees may choose to restrict access to certain\n          people or groups, or open everything to anyone who wishes to see.\n\n          OIGs must create a social media policy that considers these and other factors in\n          assessing the risks that an employee\xe2\x80\x99s potentially problematic speech or content may\n          pose, keeping in mind that if required to defend that policy in a personnel action, the\n          OIG will need to establish that the actions constituting the violation \xe2\x80\x9ccould rationally be\n          considered likely to discredit\xe2\x80\x9d the OIG.178\n\n          In short, an OIG\xe2\x80\x99s adoption of standards that reflect a clear nexus between misuse of\n          social media and efficiency of service to the OIG will provide a uniform basis for\n          evaluating employee conduct. Furthermore, including these standards in OIG policy\n          (along with examples of each) will put employees on notice of prohibited practices in\n          connection with social media use.\n\n          In summary, new media is an effective tool for both employers and employees when\n          used properly, but both groups must be aware of the potential pitfalls. Strong employer\n176\n    Id. at 1380-81 (citing Brown v. Dep\xe2\x80\x99t of the Navy, 229 F.3d 1356, 1360 (Fed. Cir. 2000) and Bonet v. U.S. Postal Serv., 661 F.2d\n1071, 1078 (5th Cir. 1981) (noting that it is insufficient to rely on internal regulations that generally proscribe certain employee\nconduct (e.g., \xe2\x80\x9dimmoral\xe2\x80\x9d or \xe2\x80\x9cdisgraceful\xe2\x80\x9d conduct) as proof of the required nexus between off-duty dishonesty/immorality and\nthe efficiency of the service)).\n177\n    E.g., Stump v. Dep\xe2\x80\x99t of Transp., 761 F.2d 680, 681-82 (Fed. Cir. 1985) (upheld MSPB decision sustaining removal of employee\nfor off-duty cocaine use).\n178\n    Major v. Hampton, 413 F. Supp. 66, 67 (E.D. La. 1976). When determining if a particular action would satisfy this test, OIGs\nmust consider \xe2\x80\x9cthe nature of the acts, the circumspection or notoriety with which they are performed, and the atmosphere of\nthe community in which they take place.\xe2\x80\x9d Id. at 69. Note that the third consideration promoted by the court is an allusion to\nthe obscenity test in Miller v. California, 413 U.S. 15, 24 (1973), which dictates that obscenity should be defined according to\n\xe2\x80\x9ccontemporary community standards.\xe2\x80\x9d\n\n                                                                38\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         guidance and circumspect employee activity will go a long way in preventing damage to\n         the employer-employee relationship.\n\n         Ethics\n\n         One area with potential to raise many HR issues is the field of ethics. Because new\n         media allows more opportunities for employees to interact and express themselves, it\n         presents a potential minefield of ethics violations. This section covers impartiality and\n         endorsements; use of government resources; outside activities; nondisclosure of\n         nonpublic information; the Anti-Lobbying Act; the Hatch Act; and appropriations\n         restrictions.\n\n         Ethics Overview\n\n         All Federal employees must comply with Federal ethics laws. 179 The standards for\n         ethical conduct cover the basic ethical obligations of public service, including rules\n         regarding gifts from outside sources and between employees, conflicting financial\n         interests, impartiality in performing official duties, outside employment and activities,\n         post-employment, and misuse of position.180 Based on 14 principles, the standards are\n         designed to instill public faith in public servants. They apply to employee\n         communications and conduct regardless of the medium, so it follows that they apply to\n         the use of new media.\n\n         Overview of Impartiality and Endorsements\n\n         New media, and social media in particular, offers OIGs in an official capacity and\n         employees in an unofficial, off-duty capacity the opportunity to \xe2\x80\x9cendorse\xe2\x80\x9d people,\n         enterprises, and ideas. For example, Twitter accounts allow users to retweet messages,\n         which may imply an endorsement of the message.181 Facebook allows users to \xe2\x80\x9clike\xe2\x80\x9d\n         other users\xe2\x80\x99 pages, posts, and links. And LinkedIn allows users to recommend or\n         \xe2\x80\x9cendorse\xe2\x80\x9d others\xe2\x80\x99 work and expertise. Merely subscribing to or \xe2\x80\x9cfollowing\xe2\x80\x9d an\n         individual or organization\xe2\x80\x99s social media site could appear to be an endorsement.\n\n         Employees and their employing OIGs should be aware that Federal ethics rules require\n         impartiality and prohibit employees from endorsing products, services, or enterprises in\n         the performance of their official duties or while engaging in activity that creates the\n\n179\n    Most of the ethics laws are found in Sections 202 to 209 of Title 18 of the U.S. Code and in Exec. Order No. 12,674, 54 Fed.\n\nReg. 15,159 (Apr. 12, 1989), modified by Exec. Order No. 12,731, 55 Fed. Reg. 42,547 (Oct. 17, 1990). The executive order is \n\nimplemented by regulations at 5 C.F.R. \xc2\xa7 2635. \n\n180\n    5 C.F.R. Part 2635, Standards of Ethical Conduct for Employees of the Executive Branch.\n\n181\n    An OIG may state on its profile that \xe2\x80\x9cretweet does not mean endorsement,\xe2\x80\x9d as other Twitter users do, but tweeting from an \n\nofficial account nonetheless may create the impression of endorsement.\n\n\n                                                              39\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                     Department of Homeland Security\n\n                                     Washington, DC 20528 / www.oig.dhs.gov\n\n\n          appearance that the endorsement is somehow related to their official position.\n          Specifically, the rules require employees to\xe2\x80\x94\n\n          \xe2\x80\xa2\t \xe2\x80\x9c[A]ct impartially and not give preferential treatment\xe2\x80\x9d to private organizations or\n             individuals; 182\n\n          \xe2\x80\xa2\t Try to \xe2\x80\x9cavoid any actions creating the appearance\xe2\x80\x9d that they are violating laws or\n             ethical standards; 183\n\n          \xe2\x80\xa2\t Not use their public office to endorse \xe2\x80\x9cany product, service, or enterprise,\xe2\x80\x9d184 except\n             when an exception applies; 185 and\n\n          \xe2\x80\xa2\t Not use their public position or title or any authority associated with their public\n             office \xe2\x80\x9cin a manner that could reasonably be construed to imply\xe2\x80\x9d that the\n             government endorses their personal activities or those of another.186\n\n          Impartiality and Endorsements \xe2\x80\x93 Unofficial Employee Use\n\n          Based on the ethics rules on impartiality and endorsement, an employee may list his or\n          her OIG position on a professional social media networking site but should be cautious\n          about making recommendations in connection with the account. An employee is\n          prohibited from recommending companies, products, or services in an official capacity\n          but is permitted to make recommendations in a purely personal capacity. The safest\n          option is to avoid such endorsements altogether. However, an employee identified by\n          his official title may write a recommendation for or \xe2\x80\x9cendorse\xe2\x80\x9d someone on LinkedIn\n          under certain circumstances. An employee may make a recommendation in his official\n          capacity based upon his personal knowledge of the ability or character of someone with\n          whom he has dealt in the course of Federal employment or whom he is recommending\n          for Federal employment. 187 Writing a recommendation, in an official capacity, on social\n          media for a government contractor would likely violate the Standards of Conduct.\n\n          Another opportunity to run into an endorsement pitfall concerns fundraisers through\n          social media, sometimes referred to as \xe2\x80\x9csocial fundraisers.\xe2\x80\x9d An employee may engage\n          in a fundraising event not sponsored by the government, but may not allow his or her\n          title, position, or any authority connected with OIG to further the fundraiser.188 Further,\n\n182\n    5 C.F.R. \xc2\xa7 2635.101(b)(8).\n183\n    Id. at \xc2\xa7 2635.101(b)(14).\n184\n    Id. at \xc2\xa7 2635.702.\n185\n    Id. at \xc2\xa7 2635.702(c).\n186\n    Id. at \xc2\xa7 2635.702(b).\n187\n    Id.\n188\n    Id. at \xc2\xa7 2635.808(c).\n\n                                                      40\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          an employee engaging in fundraising in a personal capacity via social media may not\n          solicit funds or other support from a subordinate or prohibited source.\n\n          Impartiality and Endorsements \xe2\x80\x93 Official OIG Use\n\n          With respect to official OIG social media activity, OIGs should have a policy governing\n          the entities that the OIG \xe2\x80\x9clikes,\xe2\x80\x9d \xe2\x80\x9cfollows,\xe2\x80\x9d or \xe2\x80\x9crecommends.\xe2\x80\x9d An OIG social media\n          policy should inform employees of their ethical duties not to endorse private products,\n          services, or programs in their official capacity, and instruct them not to associate their\n          personal opinions with their public position. OIGs should monitor the activity of\n          employees in charge of OIG official social media platforms to ensure compliance.\n\n          Generally, in the absence of statutory authority to endorse certain products, programs,\n          or services, an OIG may choose to like, endorse, or follow only other governmental\n          agencies or officials to avoid the appearance of improper endorsements.189 Just\n          accepting a \xe2\x80\x9cfriend\xe2\x80\x9d or other social media connection request from a public user may be\n          fine, but the OIG should not proactively \xe2\x80\x9cfriend,\xe2\x80\x9d \xe2\x80\x9cfollow,\xe2\x80\x9d or \xe2\x80\x9clike\xe2\x80\x9d public users. 190 An\n          OIG employee using social media in an official capacity also should avoid direct\n          endorsements. For example, the employee should not post a statement saying that the\n          OIG uses a particular provider because it is \xe2\x80\x9cthe best platform for public\n          communication.\xe2\x80\x9d However, the employee may post a statement such as "OIG just\n          negotiated a terms of service agreement with [social media provider], which will provide\n          OIG with a platform to communicate with the public," which is a statement of fact and\n          not an opinion or endorsement.\n\n          Sometimes, however, an OIG\xe2\x80\x99s mission might require following news of state and local\n          governments, or nonprofit organizations on Twitter or other social media platforms. For\n          example, an OIG that oversees a grant-making agency or is involved in emergency\n          preparedness may justify following certain relevant entities. If an OIG\xe2\x80\x99s mission could\n          benefit from following major news outlets, it is advisable for the OIG to follow all major\n          networks rather than one so that no preference is indicated.\n\n          OIGs should not allow third-party social media providers to use their logos or seals, nor\n          should OIGs endorse or promote non-Federal logos or seals. Doing so may violate\n          Federal contracting regulations requiring the government to treat all potential\n          contractors with impartiality to allow for fair competition.191 It also may violate the\n\n189\n    For example, 42 U.S.C. \xc2\xa7 6294a requires the Department of Energy and the Environmental Protection Agency to endorse \n\nspecific products and services.\n\n190\n    CIO Council Privacy Best Practices, #4(b)(iii), supra, note 83. The CIO Council suggests that a statement be included in the \n\nPIA and on the social media account page to inform users that the acceptance of a friend or other social media connection \n\nrequest does not indicate endorsement.\n\n191\n    48 C.F.R. \xc2\xa7 3.101-1. \n\n\n                                                                41\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n          general ethical principle requiring employees to be impartial and avoid giving\n          preferential treatment. 192 One way to address potential problems is to use a disclaimer\n          on all OIG-sponsored social media platforms stating that the OIG does not endorse any\n          nongovernment websites, companies, or apps. An OIG also may wish to provide a link\n          on its website as to why the OIG uses certain social media apps, and encourage readers\n          to suggest other products. Finally, if links to an OIG\xe2\x80\x99s third-party websites are provided,\n          the OIG should consider adding a banner or disclaimer advising individuals that they are\n          leaving the OIG website and entering the third-party website, and the OIG does not\n          endorse any commercial products that may be advertised with the website.193 OGE\xe2\x80\x99s\n          online disclaimer contains the following information regarding endorsements:\n\n                    Reference in this site to any specific commercial product, process, or service, or\n                    the use of any trade, firm or corporation name is for the information and\n                    convenience of the public, and does not constitute endorsement,\n                    recommendation, or favoring by the Department of Justice.\n\n                    OGE does not control or guarantee the accuracy, relevance, timeliness, or\n                    completeness of information contained on a linked website; does not endorse the\n                    organizations sponsoring linked websites; does not endorse the views they\n                    express or the products/services they offer. . . . 194\n\n          Employee Use of Government Resources\n\n          Federal employees always have a duty to protect and conserve Federal resources and to\n          put forth an honest effort while on duty. 195 However, most OIGs have a \xe2\x80\x9climited use\n          policy\xe2\x80\x9d that allows employees to use government resources, including government\n          computers and electronic devices, for personal purposes. This use is restricted, as the\n          name implies, and requires that employees comply with legal and policy guidelines.\n          Typical restrictions are that use should occur at times that do not interfere with an\n          employee\xe2\x80\x99s duties, should not trigger more than nominal increases in cost, and should\n          not violate applicable laws or regulations. An employee who spends two hours a day\n          updating social networking websites in a personal capacity on a government electronic\n          device would be violating these rules.\n\n\n\n\n192\n    5 C.F.R. \xc2\xa7 2635.101(b)(8). \n\n193\n    The banner should also state that the OIG\xe2\x80\x99s privacy policy does not apply on third-party websites and applications.\n\n194\n    See OGE Disclaimer of Liability, supra note 110. \n\n195\n    5 C.F.R. \xc2\xa7\xc2\xa7 2635.101(b)(5), (b)(9), 2635.704, 2635.705.\n\n\n                                                               42\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n         Restrictions on Outside Activities\n\n         Federal ethics regulations dictate that an employee\xe2\x80\x99s outside employment and activities\n         may not conflict with their official duties. 196 Supplemental agency ethics regulations, for\n         agencies that have them, often include agency-specific restrictions on outside\n         activities. 197 So, for example, while maintaining a personal blog is allowable, employees\n         who choose to list their position or title should only cite it as one of several biographical\n         details, and include a disclaimer stating that the views presented represent the\n         blogger\xe2\x80\x99s personal views and not those of the OIG. Also, an employee should not blog\n         or conduct other social media activities from their government computers, beyond that\n         allowed by a \xe2\x80\x9cde minimis\xe2\x80\x9d use policy.\n\n         Nondisclosure of Nonpublic Information\n\n         Federal ethics rules forbid Federal employees from using, or allowing someone to use,\n         nonpublic Government information to further their own private interests or the private\n         interests of others. 198 As defined by ethics regulations, nonpublic information is\n         information that an employee gains by reason of Federal employment and that he or\n         she knows or reasonably should know has not been made available to the general\n         public199 It includes information that is exempt from disclosure under the FOIA, or\n         otherwise protected by EO or regulation, and information designated confidential by an\n         agency. 200 OIG employees need to be particularly careful with social media, where it is\n         easy to click and disclose but practically impossible to retrieve and delete. Depending\n         on the nature of the information, disclosing via social media might violate not just the\n         Standards of Conduct, but also various Federal statutes.\n\n         Prohibition of Lobbying\n\n         Social media platforms are effective ways to get a particular message across and\n         communicate ideas to those who are unreachable through traditional methods.\n         However, Federal agencies have a duty of political impartiality and must be\n         conscientious of the Anti-Lobbying Act, which prohibits Federal funds from being used\n         to directly or indirectly lobby Congress or any government official. 201\n\n\n196\n    Id. at \xc2\xa7 2635.802. \n\n197\n    OGE\xe2\x80\x99s website provides links to all supplemental agency ethics regulations. See Agency Supplemental Regulations, OFF. OF\n\nGOV. ETHICS, http://www.oge.gov/Laws-and-Regulations/Agency-Supplemental-Regulations/Agency-Supplemental-Regulations/ \n\n(last visited Aug. 16, 2013). \n\n198\n    5 C.F.R. \xc2\xa7 2635.703. \n\n199\n    5 C.F.R. \xc2\xa72635.703(b). \n\n200\n    5 U.S.C. \xc2\xa7 552.\n\n201\n    18 U.S.C. \xc2\xa7 1913.\n\n\n                                                            43\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          Anti-Lobbying Act violations can occur inadvertently through official or unofficial new\n          media use. Employees using new media to encourage the public to pressure Congress\n          to support any legislation, law, or policy\xe2\x80\x94whether advocating an agency position or\n          not\xe2\x80\x94may be found to engage in \xe2\x80\x9cgrass roots lobbying.\xe2\x80\x9d These activities may violate the\n          Anti-Lobbying Act if done on official time, since Federal salaries come from appropriated\n          funds. 202\n\n          To combat the risk of inappropriate lobbying, OIGs should train employees regarding\n          this issue. Additionally, OIGs should develop understanding of what constitutes\n          prohibited lobbying activity in the realm of social media and provide employees with\n          adequate training on the basic principles of the Anti-Lobbying Act. As with many other\n          areas of the law, staying abreast of Anti-Lobbying Act developments as applied to new\n          media will greatly help to mitigate potential violations.\n\n          Prohibition of Partisan Activities\n\n          OIGs need to be aware of the Hatch Act\xe2\x80\x99s ban on Federal employees\xe2\x80\x99 partisan political\n          activities. 203 According to the Office of Special Counsel\xe2\x80\x99s frequently asked questions\n          (FAQ) on social media and the Hatch Act, the basics for \xe2\x80\x9cless restricted\xe2\x80\x9d employees are\n          as follows: 204\n\n          \xe2\x80\xa2\t If a Federal employee has listed his official title on his Facebook profile, he or she\n             may also fill in the "political views" field.\n\n          \xe2\x80\xa2\t Federal employees are prohibited from advocating for or against a political party,\n             partisan political group, or candidate for partisan public office through social media\n             while on duty or in the workplace. However, doing so off duty and away from the\n             Federal workplace would not violate the Hatch Act, as long as employees do not\n             refer to their official titles or positions.\n\n          \xe2\x80\xa2\t Employees may not solicit, accept, or receive political contributions, or suggest or\n             ask anyone to contribute to a political party, partisan political candidate, or partisan\n             political group. This restriction applies in the social media world.\n\n          \xe2\x80\xa2\t Employees should not provide links to the contribution page of any of those entities\'\n             websites.\n\n\n\n202\n    See Application of 18 U.S.C. \xc2\xa7 1913 to \xe2\x80\x9cGrass Roots\xe2\x80\x9d Lobbying by Union Representatives, 29 Op. O.L.C. 1 (Nov. 23, 2005).\n\n203\n    5 U.S.C. \xc2\xa7\xc2\xa7 7321-26.\n\n204\n     Frequently Asked Questions Regarding Social Media and the Hatch Act, U.S. OFF. OF SPECIAL COUNSEL (Apr. 4, 2012), available at \n\nhttp://www.osc.gov/documents/hatchact/federal/Social%20Media%20and%20the%20Hatch%20Act%202012.pdf. \n\n\n                                                                44\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          \xe2\x80\xa2\t Supervisors sharing social media networks with subordinates generally may\n             advocate for or against a political party, partisan political group, or candidate for\n             partisan public office via social media but may not direct any message toward a\n             specific subordinate employee or to a subset of friends that includes subordinates.\n\n          \xe2\x80\xa2\t Employees are not liable for their social media contacts\xe2\x80\x99 speech but should not\n             \xe2\x80\x9clike,\xe2\x80\x9d \xe2\x80\x9cshare,\xe2\x80\x9d or \xe2\x80\x9cretweet\xe2\x80\x9d speech that the employee would be prohibited from\n             stating himself.\n\n          \xe2\x80\xa2\t Official social media accounts must be politically neutral. In other words, employees\n             managing the OIG\xe2\x80\x99s accounts may not \xe2\x80\x9clike\xe2\x80\x9d or \xe2\x80\x9cfollow\xe2\x80\x9d political parties, or include\n             information on such groups.\n\n          Some Appropriations Restrictions\n\n          Some OIGs have held digitized \xe2\x80\x9ctown halls,\xe2\x80\x9d which allow an Inspector General or senior\n          staff to address questions in real time. Others use blogs, video and audio sharing\n          platforms, and other social media to push out their message. Among the benefits of\n          engaging social media in this way is that an OIG can control its message and respond to\n          any negative publicity immediately. When pushing out a message, however, OIGs need\n          to be careful to avoid propaganda. In the past 50 years, GAO has noted that one of the\n          main targets of the publicity or propaganda prohibition is when the \xe2\x80\x9cobvious purpose is\n          \xe2\x80\x98self-aggrandizement\xe2\x80\x99 or \xe2\x80\x98puffery.\xe2\x80\x99\xe2\x80\x9d205 By focusing on legitimate informational\n          activities,206 an OIG fulfills its duty to inform the public regarding its policies, while\n          avoiding puffery. 207 Using OIG resources in explanation and defense of the OIG\xe2\x80\x99s\n          policies\xe2\x80\x94even in the absence of specific direction or a mandate\xe2\x80\x94is allowable.208 GAO\n          has consistently held that public officials may report on their activities and programs,\n          may justify those policies to the public, and may rebut attacks on those policies.209\n\n205\n    E.g., Application for Anti-Lobbying Restrictions to HUD Report Losing Ground, B-284226.2, 2000 WL 1193462 (Comp. Gen.\nAug. 17, 2000); Medicare Prescription Drug, Improvement, and Modernization Act of 2003, B-302504, 2004 WL 523435 (Comp.\nGen. Mar. 10, 2004). GAO has defined self-aggrandizement as \xe2\x80\x9cpublicity of a nature tending to emphasize the importance of\nthe OIG or activity in question.\xe2\x80\x9d Restriction Violations on the Use of Appropriations in a Press Release by the Office of Personal\nManagement, B-212069 (Comp. Gen. Oct. 6, 1983) (quoting 31 Comp. Gen. 311 (1952) (GAO\xe2\x80\x99s first decision interpreting the\npublicity or propaganda prohibition). For example, an OIG would be prohibited from using appropriated funds to issue a press\nrelease to persuade the public as to its importance as a government OIG but not prohibited from providing legitimate\ninformation, such as on pending legislation. Id. (finding OPM press releases informing the public of the Administration\'s\nposition on pending legislation unobjectionable).\n206\n    Benjamin S. Rosenthal, House of Representatives, B-184648, 1975 WL 9457 (Comp. Gen. Dec. 3, 1975) (discussing an OIG\xe2\x80\x99s\n\xe2\x80\x9clegitimate interest in communicating with the public\xe2\x80\x9d).\n207\n    Medicare Prescription Drug, Improvement, and Modernization Act of 2003, B-302504, 2004 WL 523435 (Comp. Gen. Mar.\n10, 2004) (citing B-130961, Oct. 26, 1972) (stating that \xe2\x80\x9cOIGs have a general responsibility, even in the absence of specific\ndirection, to inform the public of the OIG\'s policies\xe2\x80\x9d).\n208\n    Id.\n209\n    Id. (citing B-223098, Oct. 10, 1986) (stating that \xe2\x80\x9cpublic officials may report on the activities and programs of their OIGs, may\njustify those policies to the public, and may rebut attacks on those policies\xe2\x80\x9d).\n\n                                                                45\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n         Procurement and Terms of Service Agreements\n\n         Even though many social media services are free, OIGs still need to be aware of\n         procurement issues, whether at the initial stage of choosing a provider or negotiating a\n         TOS or user agreement. The key is to negotiate a TOS upfront that considers all legal,\n         privacy, and information security requirements. This section addresses no-cost\n         agreements, and issues that TOS agreements raise, including potentially problematic\n         clauses on indemnification, choice of law and forum, confidentiality, and advertising.\n\n         No-Cost Agreements\n\n         The Competition in Contracting Act of 1984, as amended, applies to Federal agency\n         procurements for property or services, and generally requires full and open\n         competition. 210 However, since much of the new media available today is provided for\n         free, procurements are often set up as no-cost agreements. A no-cost agreement is a\n         \xe2\x80\x9cformal arrangement between a government entity and a vendor under which the\n         government makes no monetary payment for the vendor\xe2\x80\x99s performance.\xe2\x80\x9d211 GAO\n         guidance advises that determining whether competition requirements apply to a\n         no-cost agreement depends on the agency involved. 212 GAO ultimately concluded that\n         the Competition in Contracting Act of 1984 does not apply to no-cost agreements of\n         military agencies but does apply to no-cost agreements of civilian agencies.213\n\n         No-cost agreements do not violate the Antideficiency Act because \xe2\x80\x9c[s]ervices performed\n         pursuant to a formal contract, in which the OIG has no financial obligation and the\n         contractor has no expectation of payment from the government, are not \xe2\x80\x98voluntary\xe2\x80\x99\n         within the meaning of the prohibition.\xe2\x80\x9d 214 Therefore, as long as an OIG enters into a\n         formal no-cost agreement with a social media provider that clearly states that the OIG\n         has no financial obligation and that the social media provider has no expectation of\n         payment from the OIG, the no-cost agreement will not violate the Antideficiency Act.\n\n\n\n\n210\n    41 U.S.C. \xc2\xa7 3301.\n\n211\n    No-Cost Contracts for Event Planning Services, B-308968, 2007 WL 4226075 (Comp. Gen. Nov. 27, 2007) (citing General \n\nServices Administration and Real Estate Brokers\xe2\x80\x99 Commissions, B-302-811 (Comp. Gen. July 12, 2004)).\n\n212\n    GAO, No-Cost Contracts: Frequently Asked Questions, GOV\xe2\x80\x99T ACCOUNTABILITY OFF. (Mar. 13, 2008), #5, available at\n\nhttp://www.gao.gov/special.pubs/appforum2008/nocostcontracts.pdf [hereinafter GAO FAQ].\n\n213\n    Id. \n\n214\n    No-Cost Contracts for Event Planning Services, B-308968, 2007 WL 4226075 (Comp. Gen. Nov. 27, 2007). The Antideficiency \n\nAct prohibits voluntary services because they may generate claims for compensation that may exceed an OIG\xe2\x80\x99s appropriations. \n\nSee 31 U.S.C. \xc2\xa7 1342 (\xe2\x80\x9cAn officer or employee of the United States Government . . . may not accept voluntary services . . . or \n\nemploy personal services exceeding that authorized by law except for emergencies involving the safety of human life or the \n\nprotection of property.\xe2\x80\x9d).\n\n\n                                                              46\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         The Federal Acquisition Regulation (FAR) does not apply to acquisitions of free media\n         services, whether by a defense or civilian agency, because it applies only to government\n         acquisition of supplies or services with appropriated funds. 215 As with any other\n         government expenditure, though, if the new media platform will require appropriated\n         funds, the FAR applies to that procurement.\n\n         User Agreements and Terms of Service\n\n         OIGs should not sign a boilerplate TOS agreement with a new media provider but rather\n         should negotiate the terms. OLC has determined that the standard of consent to an\n         online TOS is the same as for traditional principles of contract law. 216 As a result,\n         consent to an online TOS \xe2\x80\x9cturns on whether the web user had reasonable notice of and\n         manifested assent to the online agreement.\xe2\x80\x9d217 OIG employees need to read the\n         agreements, whether they are \xe2\x80\x9cclickwrap\xe2\x80\x9d or \xe2\x80\x9cbrowsewrap,\xe2\x80\x9d 218 and avoid accepting\n         standard \xe2\x80\x9cclick-through\xe2\x80\x9d user agreements on most new media websites, as they usually\n         contain provisions that are problematic for the Federal Government and may lead to a\n         violation of the law. 219\n\n         In 2009, the General Services Administration (GSA) began negotiating TOS agreements\n         with various new media platforms for Federal government use. GSA publishes on\n         www.howto.gov/tos a list of Federal-compatible TOS agreements that address many of\n         the major legal issues (e.g., indemnification, liability, choice of law, advertising) that may\n         arise. Although it may be tempting to use these templates as-is, OIG staff should review\n         them for their own needs and negotiate with the provider as necessary.\n\n         When using www.howto.gov/tos to begin the process of enrolling in a new media\n         program, OIGs should be aware that GSA generates an email to the parent OIG\xe2\x80\x99s point\n         of contact for approval, if applicable. Some parent agencies may try to prevent an OIG\n         from starting and maintaining its own account. An OIG seeking to utilize a new media\n         platform will need to work with the parent OIG point of contact to explain that (whether\n         the parent OIG has its own account with the new media provider in question or not) the\n         OIG account will be separate from any parent agency account. An OIG might need to\n\n\n\n215\n    48 C.F.R. \xc2\xa7\xc2\xa7 1.104, 2.101; See also Fidelity and Casualty Company of New York, B-281281, 1999 WL 22661 (Comp. Gen. Jan. \n\n21, 1999); GAO FAQ, supra note 212, at #5. \n\n216\n    The Anti-Deficiency Act Implications of Consent by Government Employees to Online Terms of Service Agreements Containing\n\nOpen-Ended Indemnification Clauses, OFF. OF LEGAL COUNSEL (Mar. 27, 2012), available at http://www.justice.gov/olc/2012/aag\xc2\xad\nada-impls-of-consent-by-govt-empls.pdf.\n\n217\n    Id.\n218\n    \xe2\x80\x9cClickwrap\xe2\x80\x9d agreements require the user to take an affirmative action, such as checking a box or clicking an \xe2\x80\x9cI accept\xe2\x80\x9d or\n\n\xe2\x80\x9cI agree\xe2\x80\x9d button. \xe2\x80\x9cBrowsewrap\xe2\x80\x9d agreements are passive and do not require the user to give express consent.\n\n219\n    Note, however, that some social media providers have changed their basic TOS to be compatible with Federal OIG \n\nrequirements. \n\n\n                                                             47\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         clarify that, due to independence requirements, the TOS agreement will be reviewed\n         and approved by OIG counsel, rather than agency counsel.\n\n         Indemnification Clauses\n\n         Service providers generally include indemnification clauses in TOS agreements. A\n         standard indemnification clause might state that, if liability arises connected to the\n         social media content or activities, the account holder must indemnify and hold the\n         provider harmless from and against all damages, losses, and expenses of any kind. It\n         might include reasonable legal fees and costs.\n\n         Agreeing to such an open-ended, unrestricted indemnification clause would violate the\n         Antideficiency Act because employees may not \xe2\x80\x9cmake or authorize an expenditure or\n         obligation exceeding an amount available in an appropriation or fund for the\n         expenditure or obligation.\xe2\x80\x9d 220 The OLC determined that an employee with actual\n         authority to contract on behalf of the government violates the Antideficiency Act by\n         entering into such an obligation, whereas an employee without contracting authority\n         does not.221 This applies whether the service is free or fee-based.\n\n         To remedy any violations, GSA has negotiated indemnification clauses in TOS\n         agreements with numerous providers. Here is one example:\n\n                   3. (b) Indemnity. The indemnity provision in the Terms of Use is hereby deleted\n                   in its entirety and replaced with the following:\n\n                   Disclaimer. You agree that your account on the [social media provider] service\n                   will serve as an additional distribution channel for government information, but\n                   in no event will serve or be represented as the official site or homepage for\n                   Government Entity. To help convey this message, you will maintain the following\n                   message in a prominent location on your [social media provider] page: \xe2\x80\x9cIf you\'re\n                   looking for the official source of information about [Government Entity], please\n                   visit our homepage at [URL Link].\xe2\x80\x9d 222\n\n         GSA\xe2\x80\x99s model TOS includes the following indemnification language:\n\n\n220\n    31 U.S.C. \xc2\xa7 1341(a)(1)(A).\n221\n    The Anti-Deficiency Act Implications of Consent by Government Employees to Online Terms of Service Agreements Containing\nOpen-Ended Indemnification Clauses, OFF. OF LEGAL COUNSEL, (Mar. 27, 2012), available at http://www.justice.gov/olc/2012/aag\xc2\xad\nada-impls-of-consent-by-govt-empls.pdf. If an employee without the authority to contract on behalf of the agency signs such a\nTOS, however, OLC determined that that would not violate the Antideficiency Act. According to FAR provision 48 C.F.R. \xc2\xa7 4.101,\nonly contracting officers have the authority to bind an agency to a contract.\n222\n    Negotiated Terms of Service Agreements, GEN. SERV. ADMIN., http://www.howto.gov/web-content/resources/tools/terms-of\xc2\xad\nservice-agreements/negotiated-terms-of-service-agreements (last visited Aug. 16, 2013) [hereinafter GSA TOS Amendments].\n\n                                                             48\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n                   Indemnification, Liability, Statute of Limitations: Any provisions in the TOS\n                   related to indemnification and filing deadlines are hereby waived, and shall not\n                   apply except to the extent expressly authorized by law. Liability for any breach of\n                   the TOS as modified by this Amendment, or any claim arising from the TOS as\n                   modified by this Amendment, shall be determined under the Federal Tort Claims\n                   Act (FTCA), or other governing Federal authority. Federal Statute of Limitations\n                   provisions shall apply to any breach or claim.\n\n         The following indemnification language may be added to supplement the language\n         contained in GSA\xe2\x80\x99s model TOS:\n\n                   As an OIG of the United States Government, [OIG] is self-insured. Pursuant to the\n                   Federal Tort Claims Act (FTCA), 28 U.S.C. \xc2\xa7\xc2\xa7 1346(b), 2671-80, the exclusive\n                   remedy for any negligent or wrongful act or omission on the part of its\n                   employees, when acting within the scope of their employment, shall be an action\n                   against the United States under the FTCA. As such, [OIG] acknowledges that\n                   liability for any acts or omissions on the part of its employees shall be determined\n                   pursuant to the FTCA.\n\n         By negotiating with providers for the deletion of open-ended indemnification language,\n         OIGs can ensure that TOS agreements they enter into with social media providers\n         comply with the Antideficiency Act.\n\n         Choice of Law/Choice of Forum Clauses\n\n         TOS agreements also generally include choice of law and choice of forum clauses that\n         require disputes to be resolved in a specific forum, most often a state court, or pursuant\n         to a specific state\xe2\x80\x99s law. These clauses violate the sovereign immunity doctrine and\n         28 U.S.C. \xc2\xa7\xc2\xa7 1346 and 1491, which govern jurisdiction in cases involving the United States\n         as defendant. 223 OIGs should also be aware of the possible applicability of the Contracts\n         Dispute Act of 1978, as amended; the FTCA; and the Tucker Act.\n\n         Boilerplate choice of law and choice of forum clauses may state the following:\n\n                   You will resolve any claim, cause of action or dispute (claim) you have with us\n                   arising out of or relating to [social media provider] exclusively in a state or\n                   Federal court located in [County]. The laws of [State] will govern this\n                   Statement/Agreement, as well as any claim that might arise between you and us,\n                   without regard to conflict of law provisions. You agree to submit to the personal\n\n223\n   Sovereign immunity is a legal doctrine granting the Federal Government immunity from lawsuits unless it has consented to\nbeing sued. Gray v. Bell, 712 F.2d 490, 509-10 (D.C. Cir. 1983).\n\n                                                            49\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n\n                                       Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n                   jurisdiction of the courts located in [County, State] for the purpose of litigating all \n\n                   such claims.\n\n         To avoid violations of applicable law, GSA has negotiated with service providers to\n         amend such language. GSA\xe2\x80\x99s negotiated TOS agreement with one social media provider\n         includes the following language:\n\n                   3(a) Governing Law and Liability of Government Entity. The provision in the\n                   Terms of Use that governs the jurisdiction, venue and choice of law in the\n                   resolution of any claim, cause of action or dispute arising out of your use of\n                   [social media site] is hereby replaced with the following:\n\n                   You and [social media site] will endeavor to resolve any claims, causes of action\n                   or disputes in an amicable fashion. Any claim, cause of action or dispute that\n                   arises from these Terms of Use will be governed, interpreted and enforced in\n                   accordance with the laws of the United States of America. In the absence of\n                   federal law, the laws of [State] will apply. The liability of Government Entity and\n                   its obligations to Company resulting from any breach by Government Entity of\n                   any of the provisions of this Terms of Use or any claim, cause of action or dispute\n                   arising from this Terms of Use will be determined under the Contract Disputes\n                   Act, the Federal Tort Claims Act, the Tucker Act, or any other applicable law.224\n\n         GSA\xe2\x80\x99s model TOS includes the following choice of law language:\n\n                   Governing law: Any arbitration, mediation or similar dispute resolution provision\n                   in the TOS is hereby deleted. The TOS and this Amendment shall be governed by\n                   and interpreted and enforced in accordance with the laws of the United States of\n                   America without reference to conflict of laws. To the extent permitted by federal\n                   law, the laws of the State of [Company to insert name of state if one is\n                   mentioned in its TOS] (excluding [Company\'s state] choice of law rules) will apply\n                   in the absence of applicable federal law. 225\n\n         As with the indemnification language above, OIGs should determine whether GSA-\n         negotiated language with regard to choice of law and forum fits their needs. If an OIG\n         negotiates with a service provider, then at a minimum the choice of law and forum\n         clauses should establish that Federal law applies to the agreement, not state law, since\n         Federal courts have exclusive jurisdiction over the Federal Government.\n\n\n\n224\n   See GSA TOS Amendments, supra note 222. \n\n225\n   Amendment to [Name of Company] Terms of Service Applicable to U.S. Government Users/Members, GEN. SERV. ADMIN.,\n\navailable at http://www.howto.gov/sites/default/files/model-amendment-to-tos-for-g.pdf (last visited Aug. 16, 2013). \n\n\n                                                            50\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n          Confidentiality Clauses\n\n          Some new media providers include confidentiality clauses in their user agreements. As\n          discussed above, the FOIA provides individuals with a right, enforceable in court, to\n          request and obtain access to Federal agency records, except to the extent that records\n          or portions of records are protected from public disclosure by a statutory exemption or\n          exclusion. 226 Since an OIG\xe2\x80\x99s use of new media can result in the creation of records, an\n          OIG may be required under FOIA to disclose such information in violation of any\n          confidentiality clause. An OIG may also be required to produce records created through\n          the use of new media in response to a Privacy Act request, a subpoena, or a discovery\n          order. If a confidentiality clause exists in a new media provider\xe2\x80\x99s TOS agreement, it is\n          advisable to ensure that any TOS be amended to recognize that the OIG will maintain\n          confidentiality \xe2\x80\x9cto the extent permitted by law.\xe2\x80\x9d\n\n          Advertising Clauses\n\n          Increasingly, social media websites include paid advertising on the pages of their\n          subscribers, and a boilerplate TOS agreement may include a clause requiring the\n          subscriber to authorize this practice. However, ads on an OIG\xe2\x80\x99s social media page\n          create a risk of violating regulations prohibiting employees from using or allowing the\n          use of their public office to endorse any product, service, or enterprise.227 Whether\n          explicitly authorized by the subscribing OIG or not, ads on OIG-sponsored new media\n          could be construed as an endorsement of the advertised product or service. To prevent\n          violations, TOS agreements should be carefully examined for provisions concerning\n          advertising, and modifications should be negotiated as necessary. For example, a GSA-\n          approved TOS agreement for Federal agencies contains the following provision:\n\n                    Company hereby agrees not to serve or display any third party commercial ads or\n                    solicitations on any pages within the Company website displaying content\n                    created by or under the control of the Agency, provided that your sole remedy for\n                    [Company\xe2\x80\x99s] breach hereof shall be to terminate your use of the website. This\n                    exclusion shall not extend to house ads, which Company may serve on such pages\n                    in a non-intrusive manner. 228\n\n          This provision allows the new media provider to place one sort of advertisement on\n          Federal Government pages\xe2\x80\x94\xe2\x80\x9chouse advertisements\xe2\x80\x9d for its own services. Although\n          house ads may be permissible, OIGs should not agree to a TOS that allows advertising\n          from other sources. Table 2 shows possible ways to address TOS issues:\n\n\n226\n    5 U.S.C. \xc2\xa7 552. See supra Information and Privacy section.\n\n227\n    5 C.F.R. \xc2\xa7 2635.702. \n\n228\n    See GSA TOS Amendments, supra note 222. \n\n\n                                                                  51\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n                                                     Table 2: TOS Issues\n         Clause                              Issue                                           Possible Fix\nIndemnification            User (OIG) agrees to reimburse               Incorporate Federal government liability limits\n                           the provider for damages to third            from Federal Tort Claims Act.\n                           parties. Violates Antideficiency Act.\nChoice of Law              Contrary to sovereign immunity               Change to incorporate Federal laws, such as\n                           doctrine.                                    Contract Disputes Act, Federal Tort Claims Act,\n                                                                        and the Tucker Act.\nChoice of Forum            Contrary to sovereign immunity               Change clause to reflect \xe2\x80\x9cany competent\n                           doctrine.                                    Federal court.\xe2\x80\x9d\nUnilateral                 Provider reserves right of                   Require notification period with time limit for\nChanges                    unilateral change to TOS, after              OIG to concur or terminate agreement.\n                           notice on website.\nUse of Agency              May create the appearance of                 Allow provider to use OIG name or seal only to\nName/Seal/Logo             endorsement.                                 state that it uses the provider\xe2\x80\x99s service (factual\n                                                                        statement). Forbid provider from stating or\n                                                                        implying that OIG endorses the service, or\n                                                                        from using OIG logo or seal in ads.\nConfidentiality            Possible inconsistency with                  Incorporate statutory disclosure requirements.\n                           Privacy Act, FOIA, or litigation\n                           requirements.\nAdvertisements             May create apparent endorsement              Change clause to prohibit third-party ads or\n                           of advertised service or product.            solicitations.\n\n            Intellectual Property Issues \n\n\n            Using new media may present challenges with regard to intellectual property rights,\n            such as government seals, copyright, and trademarks. OIGs should ensure that their\n            external new media websites provide clear, concise statements about the intellectual\n            property rights public users should be aware of. For example, an OIG might notify users\n            that the government may not claim intellectual property rights in user-created content,\n            but a third-party new media provider may, and users should check the third party\xe2\x80\x99s\n            policy. Additionally, public-facing websites should warn users when use of government\n            content might infringe on an intellectual property right.\n\n            Government Seals\n\n            In general, a private citizen may not upload an image of an agency seal or logo for use\n            within a personal social media account. Government seals are not in the public\n            domain.229 Fraudulent, wrongful, or unauthorized use of a government seal or insignia\n\n\n\n229\n      A public domain work is a creative work that is not protected by copyright and which may be freely used by everyone.\n\n                                                                52\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         is prohibited and punishable as a violation of the Federal criminal code.230 Many\n         agencies also have regulations that limit use of specific agency seals or insignia. For\n         example, NARA regulations provide directions for authorized use of its seal or logo.231\n         OIGs should make clear statements on their new media platforms indicating that use of\n         the OIG seal is prohibited unless the user obtains written authorization from the OIG. It\n         is important to protect against such improper use because the presence of an OIG\xe2\x80\x99s seal\n         might give the appearance of an endorsement of the message or mission of a private\n         person or entity.232\n\n         Copyrights\n\n         Owners of copyright protection enjoy the exclusive right to reproduce and distribute\n         copies of their original works. 233 The copyright protections relevant to new media exist\n         for original works of authorship in literary, musical, pictorial, graphic, motion picture,\n         audiovisual, and sound recording works. 234 New media may raise several copyright\n         issues, such as government ownership of copyrights, potential government infringement\n         upon a private citizen\xe2\x80\x99s copyright, and copyrights available on third-party platforms.\n\n         OIGs should keep a few things in mind. First, copyright protection is not available for a\n         U.S. Government work,235 which includes any \xe2\x80\x9cwork prepared by an officer or employee\n         of the United States government as part of that person\xe2\x80\x99s official duties.\xe2\x80\x9d236 Accordingly,\n         when an OIG employee creates and disseminates information through new media for\n         official purposes, that information enters the public domain and cannot be subject to\n         copyright protection by the employee or the OIG.237 Government website content is\n         owned by the government, not individual creators, and is likely to be agency record\n         material.238\n\n         Second, although government works are not entitled to copyright protection, the\n         government may obtain copyrights from private citizens by \xe2\x80\x9cassignment, bequest, or\n\n\n230\n    18 U.S.C. \xc2\xa7 1017 (wrongful use of government seals); 18 U.S.C. \xc2\xa7 506 (knowing use of forged or counterfeit government \n\nseal); 18 U.S.C. \xc2\xa7 701 (unauthorized manufacture, sale, or possession of a government insignia). \n\n231\n    36 C.F.R. Part 1200. \n\n232\n    See supra Ethics section regarding endorsements.\n\n233\n    17 U.S.C. \xc2\xa7 106.\n\n234\n    Id. at \xc2\xa7 102. \n\n235\n    Id. at \xc2\xa7 105. \n\n236\n    Id. at \xc2\xa7 101. \n\n237\n    See Copyright and Other Rights Pertaining to U.S. Government Works, USA.GOV, http://www.usa.gov/copyright.shtml for \n\ninformation on some exceptions to this general rule. For example, other people may have rights in the work itself or in how the \n\nwork is used, such as publicity or privacy rights. Works prepared for the U.S. Government by independent contractors may be \n\nprotected by copyright. Not all information that appears on U.S. Government websites is considered to be a U.S. Government \n\nwork.\n\n238\n    See Implications for Recent Web Technologies for NARA Web Guidance, NAT\xe2\x80\x99L ARCHIVES & RECORDS ADMIN., \n\nhttp://www.archives.gov/records-mgmt/initiatives/web-tech.html (last visited Aug. 16, 2013). \n\n\n                                                              53\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          otherwise.\xe2\x80\x9d 239 In addition, Federal employees may secure copyright protection for\n          works written \xe2\x80\x9cat that person\xe2\x80\x99s own volition and outside his or her duties, even though\n          the subject matter involves Government work or professional field of the official or\n          employee.\xe2\x80\x9d 240 For example, an OIG employee who drafts a white paper analyzing the\n          impact of a piece of legislation as directed by her supervisor and then posts the paper\n          on the OIG\xe2\x80\x99s social media websites cannot obtain copyright protection for that work.\n          However, if the employee wrote an op-ed on the same piece of legislation and posted it\n          on her personal social media website, she could secure a copyright for the work so long\n          as the work was not required, and she wrote it on her own time. She could also choose\n          to assign her personal copyright to the OIG.\n\n          Finally, an OIG cannot authorize an individual\xe2\x80\x99s use of copyrighted materials found on\n          OIG websites hosted by third-party platforms. OIGs should consider adding disclaimer\n          language similar to that of OGE\xe2\x80\x99s, which states that it \xe2\x80\x9ccannot authorize the use of\n          copyrighted materials contained in linked websites.\xe2\x80\x9d 241\n\n          Liability for Copyright Infringement\n\n          OIGs may be liable for copyright infringement when using new media if they reproduce,\n          distribute, or display a copyrighted work without the express permission of the author\n          or copyright holder.242 To establish a claim of copyright infringement, the copyright\n          holder need only establish \xe2\x80\x9cownership of the copyright . . . and copying by the\n          defendant.\xe2\x80\x9d 243 However, the \xe2\x80\x9cfair use\xe2\x80\x9d defense allows \xe2\x80\x9cpeople other than the copyright\n          owner to use the copyrighted material in a reasonable manner without his consent.\xe2\x80\x9d 244\n          Use of a work for \xe2\x80\x9ccriticism, comment, news reporting, teaching, scholarship, or\n          research does not infringe upon copyright.\xe2\x80\x9d245 Accordingly, OIGs may be able to use\n          copyrighted material in new media forums without infringing on copyrights, so long as\n          their use qualifies as a \xe2\x80\x9cfair use.\xe2\x80\x9d\n\n          Courts consider four factors in determining whether the use of a work is fair:\n\n          \xe2\x80\xa2\t the purpose and character of the use, including whether the use is of a commercial\n             or nonprofit nature;\n          \xe2\x80\xa2\t the nature of the work;\n\n\n239\n    17 U.S.C. \xc2\xa7 105.\n\n240\n    H.R. REP. NO. 94-1476, 58-59, reprinted in 1976 U.S.C.C.A.N. 5659, 5671-73 (1976).\n\n241\n    See OGE Disclaimer of Liability, supra note 110. \n\n242\n    See 17 U.S.C. \xc2\xa7 106 (stating \xe2\x80\x9cthe owner of copyright under this title has the exclusive rights to do and to authorize\xe2\x80\x9d the \n\nreproduction, distribution, and display or copyrighted works). \n\n243\n    Hustler Magazine Inc. v. Moral Majority Inc., 796 F.2d 1148, 1151 (9th Cir. 1986). \n\n244\n    Id.; see also 17 U.S.C. \xc2\xa7\xc2\xa7 106, 107. \n\n245\n    17 U.S.C. \xc2\xa7 107.\n\n\n                                                                 54\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         \xe2\x80\xa2\t the amount and substantiality of the portion used in relation to the work as a whole;\n            and\n         \xe2\x80\xa2\t the effect of the use on the potential market for or value of the work. 246\n\n         Determining whether an OIG\xe2\x80\x99s use of a copyrighted work is fair requires a case-by-case\n         analysis. The most important factor for OIGs to consider is whether a use of another\xe2\x80\x99s\n         work might impair the marketability or the value of the copyrighted work.247\n\n         OIGs can protect themselves from copyright infringement liability by providing\n         disclaimers on external-facing new media websites. For example, OIGs might post\n         notices warning members of the public not to violate another\xe2\x80\x99s copyright and\n         disclaiming liability for third-party social media activities that violate a copyright.\n\n         Trademarks\n\n         A trademark is any \xe2\x80\x9cany word, name, symbol, or device or any combination thereof\xe2\x80\x9d to\n         identify and distinguish goods from those manufactured or sold by others and to\n         indicate their source.248 In intellectual property discussions regarding social media,\n         trademarks can refer to agency logos and mission statements that appear on social\n         media platforms. An official OIG social media platform should have some indicators of\n         the official OIG trademark, demonstrating to the public the authenticity of the\n         information presented on that website. Private individuals may not use OG trademarks\n         or logos on personal social media websites without permission.\n\n         Several pieces of legislation have been created in attempts to protect the use of\n         trademarks. For example, the Trademark Act of 1946, as amended,249 also known as the\n         Lanham Act, protects the use of trademarks and creates civil liability for persons who\n         engage in trademark infringement. Specifically, it prohibits \xe2\x80\x9cany person\xe2\x80\x9d from using \xe2\x80\x9cin\n         commerce any reproduction, counterfeit, copy, or colorable imitation of a registered\n         mark in connection with the sale, offering for sale, distribution, or advertising of any\n         goods or services on or in connection with which such use is likely to cause confusion, or\n         to cause mistake, or to deceive,\xe2\x80\x9d without consent of the registrant.250 \xe2\x80\x9cAny person\xe2\x80\x9d\n         includes the U.S. Government.251 The Anticybersquatting Consumer Protection Act\n         prohibits mimicking other trademarks by using confusingly similar names or images.252\n         Neither of these acts prevents fair use of a trademark. Additionally, the Uniform\n\n246\n    Id. at \xc2\xa7 107(1)-(4).\n\n247\n    Craig C. Carpenter, Copyright Infringement and the Second Generation of Social Media: Why Pinterest Users Should Be \n\nProtected from Copyright Infringement by the Fair Use Defense, 16 J. INTERNET L. 1, 17 (2013). \n\n248\n    15 U.S.C. \xc2\xa7 1127.\n\n249\n    15 U.S.C. \xc2\xa7\xc2\xa7 1051 et seq.\n\n250\n    15 U.S.C. \xc2\xa7 1114(1)(a). \n\n251\n    Id. at \xc2\xa7 1114(1)(b).\n\n252\n    15 U.S.C. \xc2\xa7 1125(a). \n\n\n                                                             55\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n\n                                       Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n         Domain Name Dispute Resolution Policy provides a process for registering domain\n         names. 253 The policy creates a venue for trademark owners to bring forth challenges in\n         private administrative proceedings.\n\n         Certain laws are in place to protect the use of trademarks, but OIGs may not always\n         know when their official logo or brand is being used on nonofficial social media\n         websites. Technology has made it easy for an individual to simply copy and paste a logo\n         onto a new website, which may provide false information or divert the public to\n         inappropriate material. This is especially concerning for OIGs if they collect personal\n         information from the public; imposter websites may use deceit to obtain private\n         information from unaware individuals. To discover fake social media platforms, OIGs\n         might consider designating an individual to do a routine Internet sweep to determine if\n         fake social media accounts have been created in the agency\xe2\x80\x99s name. Watching out for\n         inappropriate trademark use can stem negative activities that may injure an OIG\xe2\x80\x99s\n         reputation or dilute its message.\n\n         Public Accessibility\n\n         One of the goals of new media should be to help fulfill an OIG\xe2\x80\x99s mission of outreach and\n         public affairs by providing information to the public in meaningful ways. However,\n         when using new media, OIGs must be sensitive to the discrimination issues that can\n         arise with regard to public accessibility to government communications. OIGs should\n         ensure that they take steps to comply with laws providing access to government\n         information and services to non-native English speakers and the disabled.\n\n         Section 508 of the Rehabilitation Act\n\n         Section 508 of the Rehabilitation Act, as amended, was enacted to ensure that people\n         with disabilities have other means to access Federal information found online.254 The\n         law applies to all Federal agencies developing or maintaining IT and electronic\n         technology. Section 508 requires agencies to provide disabled Federal employees and\n         members of the public \xe2\x80\x9caccess to and use of information and data that is comparable to\n         the access to and use of the information and data\xe2\x80\x9d that is available to those without\n         disabilities. 255\n\n         Absent undue burden, every OIG must ensure that its social media communications\n         provide equal access to individuals with disabilities.256 One way to ensure Section 508\n\n253\n    See Uniform Domain-Name Dispute-Resolution Policy, ICANN, http://www.icann.org/en/help/dndr/udrp (last visited Aug. 16,\n2013).\n254\n    29 U.S.C. \xc2\xa7 798.\n255\n    29 U.S.C. \xc2\xa7 794d(a)(1)(A).\n256\n    Id.\n\n                                                            56\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                          Washington, DC 20528 / www.oig.dhs.gov\n\n\n         compliance is to create alternative methods of disseminating information and soliciting\n         input to reach underrepresented groups. For example, OIGs can make sure that\n         information posted on Twitter is also posted to their official websites, thereby providing\n         those without Twitter accounts access to the same information. OIGs should ensure\n         that their new media activities are \xe2\x80\x9c508 compliant\xe2\x80\x9d whether the content is on an\n         internal or public-facing website, or includes software, websites, and services that are\n         free.257\n\n         Accessibility for People with Limited English Proficiency\n\n         Executive Order 13166, Improving Access to Services for Persons with Limited English\n         Ability, requires each Federal agency to ensure that people with limited English\n         proficiency (LEP) have meaningful access to its services, programs, and activities so as to\n         prevent discrimination on the basis of national origin.258 The Federal Government has\n         reinforced its obligations under this EO several times, most recently with a 2011\n         memorandum from the Attorney General.259 Using social media and new media to\n         interact with the public is agency activity that may require further steps to ensure that\n         LEP individuals have meaningful access (i.e., translation into other languages).\n\n         To ensure that agencies provide meaningful access to LEP individuals, EO 13166 requires\n         agencies to develop a plan. Department of Justice guidance establishes four factors to\n         determine whether an agency needs to create and implement a plan to ensure\n         meaningful access to LEP individuals: (1) the number or proportion of LEP individuals,\n         (2) the frequency with which LEP individuals came in contact with an agency\xe2\x80\x99s programs,\n         (3) the importance of the service provided by the program, and (4) resources\n         available. 260\n\n         Since the use of social media and/or new media would constitute an agency activity, the\n         OIG must determine its LEP responsibilities. For assistance and guidance the OIG can\n         consult its agency\xe2\x80\x99s LEP plan, contact its agency\xe2\x80\x99s LEP office, and refer to the\n         Department of Justice guidance and other resources at www.lep.gov.\n\n\n\n\n257\n    See Making Multimedia Section 508 Compliant and Accessible, GEN. SERV. ADMIN., http://www.howto.gov/web\xc2\xad\ncontent/accessibility/508-compliant-and-accessible-multimedia (last visited Aug. 16, 2013). \n\n258\n    Exec. Order No. 13,166, 65 Fed. Reg. 50121 (Aug. 16, 2000).\n\n259\n    Eric. Holder, Jr., Federal Government\'s Renewed Commitment to Language Access Obligations Under Executive Order 13166, \n\nOFF. OF THE ATTORNEY GEN., U.S. DEP\xe2\x80\x99T OF JUSTICE (Feb. 17, 2011), available at \n\nhttp://www.justice.gov/crt/lep/13166/AG_021711_EO_13166_Memo_to_Agencies_with_Supplement.pdf. \n\n260\n    Enforcement of Title VI of the Civil Rights Act of 1964\xe2\x80\x94National Origin Discrimination Against Person With Limited English \n\nProficiency; Policy Guidance, 65 Fed. Reg. 50123, 50124 (Aug. 16, 2000).\n\n\n                                                              57\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n\n                                          Department of Homeland Security\n\n                                            Washington, DC 20528 / www.oig.dhs.gov\n\n\n          Liability\n\n          Along with all the legal and privacy issues comes a concern about potential liability.\n          Indeed, torts litigation involving social media is a growing phenomenon. Defamation\n          claims involving Twitter posts even have a name: \xe2\x80\x9ctwibel\xe2\x80\x9d suits. However, while both\n          OIG employers and employees may be liable for issues relating to social media activity,\n          the risks at this point appear minimal. Nonetheless, an OIG should keep potential\n          liability issues in mind while developing a social media policy and implementing social\n          media for official purposes.\n\n          The FTCA constitutes a limited waiver of sovereign immunity, requiring any claim for\n          money damages resulting from an employee\xe2\x80\x99s negligence or omission to be filed against\n          the United States, as long as the employee was acting within the scope of\n          employment.261 Under the FTCA, the United States is liable if a private person would be\n          liable in accordance with the law of the place where the act or omission occurred\n          (absent any exclusions under the FTCA). 262 As a result, courts apply state law to\n          determine whether an employee was within the scope of employment.263 If an\n          employee is found to be acting within the scope of employment, the employee is\n          immune from all resulting suits.264\n\n          Although the FTCA does not completely waive sovereign immunity, Federal agencies are\n          immune from certain torts, such as libel, slander, misrepresentation, and deceit.265 In\n          other words, if an employee, acting within the scope of employment, is sued for\n          defamation for official OIG social media activity, the United States will substitute itself\n          as a defendant, and neither the employee nor the OIG will be liable.\n\n          One tort that potentially could cause an OIG employer liability involves privacy, such as\n          an invasion of privacy claim. 266 Each state may develop its own privacy laws, so the\n          elements may vary state by state. In general, modern tort law has four generally\n          recognized categories of invasion of privacy: intrusion of seclusion or solitude, public\n\n\n\n261\n    28 U.S.C. \xc2\xa7 2671, et seq.\n\n262\n    28 U.S.C. \xc2\xa7\xc2\xa7 1346(b)(1), 2674. \n\n263\n    Garcia v. United States, 62 F.3d 126, 127 (5th Cir. 1995) ("[W]hether a particular federal employee was or was not acting \n\nwithin the scope of his employment is controlled by the law of the state in which the negligent or wrongful conduct occurred").\n\n264\n    Note that the Westfall Act requires the Attorney General to certify that the employee was within the scope of employment. \n\nSee 28 U.S.C. \xc2\xa7 2679(d)(1)-(3). However, that determination may be challenged. See Gutierrez De Martinez v. Lamagno, 515 U.S. \n\n417, 430-31 (1995) (\xe2\x80\x9cThe certification, removal, and substitution provisions of the Westfall Act . . . work together to assure that, \n\nwhen scope of employment is in controversy, that matter, key to the application of the FTCA, may be resolved in federal court. \n\nTo that end, the Act specifically allows employees whose certification requests have been denied by the Attorney General, to\n\ncontest the denial in court.\xe2\x80\x9d). \n\n265\n    28 U.S.C. \xc2\xa7 2680(h). \n\n266\n    See William L. Prosser, Privacy, 48 CALIF. L. REV. 383, 389 (1960); RESTATEMENT (SECOND) OF TORTS \xc2\xa7\xc2\xa7 652A-652E (1977).\n\n\n                                                                58\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n\n                                           Department of Homeland Security\n\n                                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n          discourse of private facts, false light, and appropriation of a person\xe2\x80\x99s name or\n          likeness. 267\n\n          In addition, a citizen may sue the government for abridging his or her First Amendment\n          (or other constitutional) rights. An employee acting within the scope of employment\n          may be sued personally for a constitutional tort in a case often called a \xe2\x80\x9cBivens\xe2\x80\x9d\n          action.268 However, the doctrine of qualified immunity allows government officials to\n          exercise fair judgment and \xe2\x80\x9cprovides ample protection to all but the plainly incompetent\n          or those who knowingly violate the law.\xe2\x80\x9d 269 This doctrine likely would protect an\n          employee sued for deleting a member of the public\xe2\x80\x99s communications (an alleged\n          violation of free speech rights), unless the employee willfully violated the law.270\n\n          With so many legal and privacy issues to consider, including potential liability, an OIG\n          may hesitate before starting or expanding a social media program. The potential pitfalls\n          demand not only knowledge at the outset, but also regular and continual maintenance.\n          Despite potential pitfalls, however, OIGs will benefit from addressing the issues if only\n          to steer employees in the right direction. No matter the degree to which an OIG\n          engages new media, it can be sure that many employees already have an active social\n          media presence.\n\n          In addition to the considerations discussed above, an OIG also needs to be aware of\n          information security requirements. This next section will cover such information\n          security issues as the Federal Information Security Management Act of 2002, cloud\n          computing, social media, engaging new media providers, and protecting OIG networks.\n\nInformation Security Considerations\n          Social media services and new media often appear to confound the traditional security\n          model for Federal agencies. Traditionally, agencies have controlled all aspects of an\n          information system or contracted information services. Increasingly, however, as many\n          social media services and new media apps are free, they can be provisioned outside of\n          the authority of an agency\'s Chief Information Officer (CIO). In the past, the CIO has\n          been primarily responsible through the Clinger-Cohen Act of 1996, as amended, for\n          ensuring sound IT investments through associated laws, regulations, and Federal\n\n\n267\n     RESTATEMENT (SECOND) OF TORTS \xc2\xa7 652E, cmt. b (2012). \n\n268\n     Bivens v. Six Unknown Named Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971) (Federal officials may be sued \n\npersonally for money damages for the alleged violation of constitutional rights stemming from official acts). \n\n269\n     Malley v. Briggs, 475 U.S. 335, 341 (1986).\n\n270\n     Harlow v. Fitzgerald, 457 U.S. 800, 815 (1982) (holding that immunity would be defeated if an official "knew or reasonably \n\nshould have known that the action he took within his sphere of official responsibility would violate the constitutional rights of \n\nthe [plaintiff], or if he took the action with the malicious intention to cause a deprivation of constitutional rights or other injury \n\n. . .") (citing Wood v. Strickland, 420 U.S. 308, 322 (1975)).\n\n\n                                                                  59\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\n         policies. One of the key provisions of the Federal Information Security Management Act\n         of 2002 (FISMA), as amended, is to provide for the development and maintenance of\n         minimum controls required to protect Federal information and information systems\n         used by or on behalf of agencies. In practice, though, more attention has been given to\n         the latter, as most Federal data resides on internal agency information systems that are\n         tangible, traceable agency assets.\n\n         As OIGs embrace social media, the cloud, and other third-party websites and apps,\n         Federal data will no longer receive the protections or assurance of fully assessed and\n         accredited government networks, systems or personnel. In this new paradigm, data\n         regularly traverses government and corporate networks, as well as domestic and\n         international boundaries, where it is subject to varying degrees of protection.\n\n         As Federal data is stored, processed, and transmitted through unknown and often\n         insecure environments, agencies expose themselves to new security and privacy\n         concerns that they will need to address to ensure that they achieve success with these\n         new tools and accomplish the agency\xe2\x80\x99s mission. Demand for social media and new\n         media websites, apps, and services also puts pressure on OIGs to permit access to these\n         websites, services, and apps through secure government networks.\n\n         The popularity of social media and new media websites, combined with their large\n         memberships, make them attractive targets for malicious activities. When an OIG\n         decides to allow access to these websites and services through secure government\n         networks, additional safeguards and risk acceptance or mitigation need to be\n         considered. OIGs will need to ask a few questions when proceeding with new media\n         and the use of third-party storage. Where will the government data be hosted\n         (internally, externally, hybrid)? Will the platform be used for internal or external\n         communications, or both? The answer to these questions will have implications on\n         which security laws, policies, and guidelines OIGs will need to follow.\n\n         Federal Information Security Management Act of 2002\n\n         FISMA was passed as Title III of the E-Government Act of 2002 in December 2002. It\n         requires each Federal agency to develop, document, and implement an agency-wide\n         program to provide information security for the information and information systems\n         that support the operations and assets of the agency, including those provided or\n         managed by another agency, contractor, or other source.271 FISMA applies to all cloud\n         computing, new media, and social media that stores, processes, or transmits Federal\n         information. However, the application and implementation of FISMA-related\n\n271\n   FISMA Frequently Asked Questions, NAT\xe2\x80\x99L INST. OF STANDARDS & TECH. (May 16, 2012), available at\nhttp://csrc.nist.gov/groups/SMA/fisma/faqs.html.\n\n                                                              60\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n         information security requirements to specific new media technologies may differ across\n         OIGs based upon the types of information and how the technology is used in the various\n         systems and services.\n\n         Pursuant to FISMA, OMB and the National Institute of Standards and Technology (NIST)\n         issued standards and guidelines for how an agency should account for different\n         information and information systems. These FISMA-related standards vary depending\n         on the risk associated with the information and the information system. For example,\n         agency use of public social media sites for public outreach may be considered low-risk,\n         and a basic periodic risk assessment and implementation of some controls, including\n         employee training, might be sufficient. In contrast, use of an internal information-\n         sharing platform that contains sensitive agency information is higher risk and may\n         involve more complex requirements, including comprehensive continuous monitoring.\n\n         Cloud Computing\n\n         Cloud computing is often the engine that drives new media tools and services. NIST\n         defines cloud computing as a model for enabling ubiquitous, convenient, on-demand\n         network access to a shared pool of configurable computing resources (e.g., networks,\n         servers, storage, apps, services) that can be rapidly provisioned and released with\n         minimal management effort or service provider interaction.272 This applies to several\n         service models including SaaS, Platform as a Service, and Infrastructure as a Service\n         regardless of whether the hosting service is provided by another Federal entity or\n         commercial organization. Cloud computing is also inclusive of services used for internal\n         communications or external engagements such as social media.\n\n         To address the security implications of cloud computing, OMB released a memorandum\n         titled Security Authorization of Information Systems in Cloud Computing Environments\n         on December 8, 2011.273 This memorandum formally sets the requirements created\n         under the Federal Risk and Authorization Management Program (FedRAMP) as\n         mandatory for Federal departments and agencies. FedRAMP establishes standardized\n         security requirements for the authorization and ongoing cybersecurity of cloud services\n         for selected information system impact levels that map back to FISMA requirements. It\n         applies to executive departments and agencies procuring commercial and\n         noncommercial cloud services that are provided by information systems that support\n         the operations and assets of the departments and agencies, including systems provided\n         or managed by other departments or agencies, contractors, or other sources.\n\n\n272\n    The Definition of Cloud Computing, NAT\xe2\x80\x99L INST. OF STANDARDS & TECH. (Sept. 2011), available at \n\nhttp://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. \n\n273\n    Steven VanRoekel, Security Authorization of Information Systems in Cloud Computing Environments, OFF. MGMT. & BUDGET\n\n(Dec. 8, 2011), available at https://cio.gov/wp-content/uploads/2012/09/fedrampmemo.pdf.\n\n\n                                                            61\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n\n                                        Department of Homeland Security\n\n                                         Washington, DC 20528 / www.oig.dhs.gov\n\n\n         The FedRAMP requirements are being phased in through June 2014. By that date, all\n         Federal cloud instances are required to be in compliance with FedRAMP policy.\n         Organizations will be required to self-identify and report annually to OMB the cloud\n         services being used that do not meet FedRAMP requirements. In the meantime,\n         departments and agencies are required to do the following:\n\n         \xe2\x80\xa2\t Leverage the FedRAMP process and security authorization requirements as a\n            baseline when initiating, reviewing, granting, and revoking security authorizations\n            for cloud services;\n\n         \xe2\x80\xa2\t Require cloud service providers to meet FedRAMP requirements in contractual\n            provisions; and\n\n         \xe2\x80\xa2\t Assess, authorize, and continuously monitor security controls that are the agency\xe2\x80\x99s\n            responsibilities.\n\n         The FedRAMP website, www.FedRAMP.gov, provides information on how to comply\n         with the program\xe2\x80\x99s security requirements and guidance and how to structure standard\n         contracting language for cloud service providers.\n\n         Social Media\n\n         The umbrella of new media also covers a range of social media tools, websites, and\n         apps. On June 28, 2011, GAO released a report titled Social Media: Federal Agencies\n         Need Policies and Procedures for Managing and Protecting Information They Access and\n         Disseminate, which found that:\n\n                   most agencies did not have documented assessments of the security risks that\n                   social media can pose to federal information or systems in alignment with FISMA\n                   requirements, which could result in the loss of sensitive information or\n                   unauthorized access to critical systems supporting the operations of the federal\n                   government. Without conducting and documenting a risk assessment, agency\n                   officials cannot ensure that appropriate controls and mitigation measures are in\n                   place to address potentially heightened threats associated with social media,\n                   such as spear phishing and social engineering.274\n\n         Additionally, some of these services, apps or websites are third-party websites and apps\n         that may be considered cloud computing-based SaaS subject to the requirements of\n         FedRAMP. The FedRAMP program is still in its infancy, and most social media services\n\n274\n   Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and\nDisseminate, GAO-11-605, GOV\xe2\x80\x99T ACCOUNTABILITY OFFICE (June 2011), available at http://www.gao.gov/assets/330/320244.pdf.\n\n                                                            62\n\n\x0c                OFFICE OF INSPECTOR GENERAL\n\n                       Department of Homeland Security\n\n                        Washington, DC 20528 / www.oig.dhs.gov\n\n\nwill not have formal authorization packages on file with the FedRAMP program office in\nthe foreseeable future. However, the security controls and guidance put forth by the\nFedRAMP office will help OIGs assess the security of social media services and formally\nauthorize their use.\n\nEngaging New Media Providers\n\nWhen engaging in new media and social media services, OIGs are confronted with a\nsignificant risk-management challenge. In many cases, the service providers are willing\nto enter into a specific TOS with an OIG, during which time the OIG has an opportunity\nto negotiate as many security and privacy requirements as possible. At times, such\nnegotiations will not be favorable to the OIG, and the OIG will be pressured to accept\nterms as provided by the new media or social media company. The following sections\ndescribe different tactics that OIGs may use to meet security and privacy requirements.\nOIGs should carefully review their relationship with social media and new media\nproviders to ensure appropriate security and privacy matters are defined. OIGs should\nwork with the new media providers to assess the security controls available and\nencourage the use of the available security controls in an effort to meet the Federal\nguidelines. Such topics include records retention, back-up of information, and securely\nstoring credentials. Additional information may be found in appendix C.\n\nProtecting OIG Networks While Accessing New Media Platforms\n\nConsideration must be given as to when an OIG decides to have an official presence on a\nsocial media or new media platform, and equal consideration must be given as to how\nOIG users will access social media and new media services and websites. Many\norganizations and businesses block social media and new media websites for a variety of\nreasons, including security, privacy, and network performance. In crafting a new media\nor social media strategy, an OIG must also be aware of additional security and privacy\nchallenges. Numerous technologies can aid an organization considering allowing access\nto new media and social media services and websites. OIGs should carefully consider\nwhich technologies may be appropriate to ensure secure access to social media and new\nmedia websites. They should address new media just as they would an internal system\nor network. Although the OIG does not own the new media, certain precautions should\nbe taken before creating a presence on a new media website. For instance, OIGs should\nconduct a PIA and determine whether the application requires a SORN per the Privacy\nAct. The OIG should develop a Concept of Operations to formally authorize new media\nservices and address how those services are leveraged and used. OIGs should conduct\nand provide training to those authorized to use new media. Training can provide\nguidance on recognizing operation security violations, limiting potential PII data\nbreaches, promoting ethical behavior, and delivering appropriate information via new\nmedia. Additional information may be found in appendix D.\n                                         63\n\n\x0c                      OFFICE OF INSPECTOR GENERAL\n\n                             Department of Homeland Security\n\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\nConclusion\n\n     We encourage OIGs to consider using new media to further their mission, but as this\n     report illustrates, new media has the potential to open many legal, privacy, and\n     information security concerns. Even if an OIG declines to engage new media, it is\n     prudent to develop appropriate policies and train employees in proper social media use.\n     Missteps and problems may result from inadequate education and preparation.\n\n     Before embarking on a social media program, an OIG might consider analyzing its\n     business need for social media based on such cost-benefit analysis questions as: Do we\n     have the resources to start and maintain a social media program? Are we able to\n     devote adequate personnel and resources to support and monitor an interactive blog or\n     another social media network? How will those resources improve outreach and allow\n     interactive communications with our stakeholders and the public? If we do not engage\n     social media today, will we be behind tomorrow? Reaching out to other OIGs already\n     engaged in new media may boost an OIG\xe2\x80\x99s confidence in its abilities to manage the\n     legal, privacy, and information security issues.\n\n     On the information security front, OIGs preparing to deploy new media may discover\n     that many of the required risk-management policies, procedures, standards, and\n     guidelines are already in place. In IT planning, OIGs should include their CIO, Chief\n     Information Security Officer, and Senior Official for Privacy. This will decrease potential\n     legal, reputational, and monetary risks of using social media and new media services.\n     OIGs also should consider whether investments in IT systems and software may be\n     necessary to ensure proper risk mitigation.\n\n     As an OIG decides the extent to which it wishes to engage new media, we hope that this\n     report will help facilitate informed decisions. However, this report should not be used\n     as a substitute for independent legal advice, and the CIGIE New Media Working Group\n     members and sponsors expressly disclaim liability for errors and omissions in the\n     contents of this report.\n\n\n\n\n                                               64\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                               Department of Homeland Security\n\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendix A\nObjectives, Scope and Methodology\nWe undertook this review at the request of CIGIE\xe2\x80\x99s Homeland Security Roundtable. The\npurpose of this review was to share new media legal, privacy, and information security research\nand analysis with OIGs. This analysis is designed to better equip OIGs that are engaging or\nstarting to engage new media and, for OIGs not planning on using new media, to illustrate why\nbeing aware of the issues and developing a policy and training are nonetheless important.\n\nThe Working Group was staffed with attorneys and information security professionals from\noffices of presidentially appointed and designated Federal entity Inspectors General. The group\nmet regularly from September 2012 until the spring of 2013. The Working Group conducted\nindependent research and analysis, aided by the work of the original working group and\nconsultations with specialists from NARA, the Air Force, the Federal Trade Commission, and\nGSA.\n\nThis report should not be used as a substitute for independent legal advice. New media is a\nfluid area, and laws and policies may change at a rapid pace. The CIGIE New Media Working\nGroup members and sponsors expressly disclaim liability for errors and omissions in the\ncontents of this report. No warranty of any kind, implied, expressed, or statutory, is given with\nrespect to the contents. The information appearing in this report is for general informational\npurposes only and is not intended to provide legal, privacy, or information security-related\nadvice to any individual or entity.\n\n\n\n\n                                                 65\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                    Department of Homeland Security\n\n                                    Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendix B\nSample New Media FISMA Legal Analysis\nThis appendix addresses the question of whether FISMA requirements (44 U.S.C. Sec. 3541, et\nseq.) apply to information that an OIG disseminates to the public using new media or social\nmedia. Messages are sent through new media and social media websites by establishing an\naccount and sending messages through the Internet via the new media or social media website\nor mobile apps. FISMA requirements apply to new media and social media to the extent that\nthese platforms are used to convey OIG information.\n\n44 U.S.C. \xc2\xa7 3541 sets forth the purposes of FISMA, which include providing effective\ngovernment oversight over information security risks and maintaining minimum security\ncontrols required to protect Federal information and information systems. In furtherance of\nthese goals, FISMA imposes requirements and responsibilities on OMB and on Federal agencies\nthat relate to the establishment of programs to protect Federal information:\n\n            (a) In General. -- The head of each agency shall -\xc2\xad\n                    (1) be responsible for -\xc2\xad\n                            (A) providing information security protections commensurate with the\n                            risk and magnitude of the harm resulting from unauthorized access, use,\n                            disclosure, disruption, modification, or destruction of -\xc2\xad\n                                    (i) information collected or maintained by or on behalf of the\n                                    agency; and\n                                    (ii) information systems used or operated by an agency or by a\n                                    contractor of an agency or other organization on behalf of an\n                                    agency. . . . 275\n\nIn addition, FISMA states that each agency must establish an agency-wide information security\nprogram that includes, among other things, "periodic assessments of the risk and magnitude of\nthe harm that could result from the unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems that support the\noperations and assets of the agency," and which ensures compliance with applicable standards\npromulgated under Section 11331 of Title 40 (the NIST standards).276\n\nThese provisions would encompass an OIG\'s use of new media and social media to\ncommunicate with the public because the information conveyed would be "information\nconveyed or maintained. . . on behalf of the agency," and the new media or social media\nsystem itself would qualify as an "information system used or operated . . . on behalf of an\n\n\n275\n      44 U.S.C. \xc2\xa7 3544(a)(1).\n276\n      Id. at \xc2\xa7 3544(b).\n\n                                                     66\n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n\n                                 Department of Homeland Security\n\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\nagency." FISMA does not explicitly define the information to be protected and, consequently,\nalso does not explicitly exclude OIG information conveyed via new media or social media from\nthe information that must be secured through an OIG\xe2\x80\x99s required information security program.\n"Information systems" is defined as "a discrete set of information resources organized for the\ncollection, processing, maintenance, use, sharing, dissemination, or disposition of\ninformation." 277 This definition would include new media and social media as an information\nsystem, because OIG would use new media and social media as an information resource to\nshare or disseminate information. Consequently, an OIG is obligated under 44 U.S.C. \xc2\xa7 3544 to\nincorporate into its information security program the information conveyed via new media or\nsocial media and the information system itself.\n\nOMB\'s computer security and FISMA guidance confirms this conclusion. OMB promulgated\nCircular A-130 to instruct agencies on how to implement information security requirements\nunder earlier computer security statutes. Although A-130 pre-dates FISMA, its requirements\nare still applicable. In paragraph (a)(g) under "8. Policy," the Circular states that agencies must\n"[p]rotect government information commensurate with the risk and magnitude of harm that\ncan result from the loss, misuse, or unauthorized access to or modification of such information.\n. . ." The Circular defines "government information" as "information created, collected,\nprocessed, disseminated, or disposed of by or for the Federal Government," which would\ninclude an OIG\'s social media and new media information. Under the question "How will\nagencies ensure security in information systems," OMB replies, "Apply OMB policies and . . .\nNIST guidance to achieve adequate security commensurate with the level of risk and magnitude\nof harm. . . ." OMB defines "information system" as "a discrete set of information resources\norganized for the collection, processing, transmission, and dissemination of information ...\nwhether automated or manual." "Dissemination" is defined as "the government initiated\ndistribution of information to the public." Because (1) OIG new media and social media\ninformation meets the definition of "government information," (2) new media and social media\nsatisfies the plain meaning of "information system," and (3) the act of \xe2\x80\x9cposting\xe2\x80\x9d OIG\ninformation qualifies as "dissemination," there is no basis to exclude use of social media and\nnew media from these requirements absent further clarification from OMB.\n\nPursuant to its FISMA obligations, OMB also promulgates annual FISMA reporting instructions.\nThe 2010 instructions appear to require that new media and social media be used consistent\nwith security requirements. FAQ 8 asks, "Should all of my agency\'s information systems be\nincluded as part of our FISMA report?" OMB answers, "Yes" (with further elaboration, but no\nlimitation). As stated above, a new media and social media service qualifies as an "information\nsystem." In FAQ 11, OMB states that NIST standards must be applied to all non-national\nsecurity information systems. In FAQ 13, OMB states, "Section 3541 of FISMA provides [that\nFISMA\xe2\x80\x99s] security requirements apply to \'information and information systems\' without\ndistinguishing by form or format; therefore, the security requirements outlined in FISMA apply\n\n277\n      44 U.S.C. \xc2\xa7 3502(8).\n\n                                                  67\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                               Department of Homeland Security\n\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\nto Federal information in all forms and formats (including electronic, paper, audio, etc.)." In\nFAQ 25, OMB states that "security authorizations are required for all Federal information\nsystems." In FAQ 36, OMB states, "[A]gency information security programs apply to all\norganizations (sources) which possess or use Federal information\xe2\x80\x94or which operate, use, or\nhave access to Federal information systems (whether automated or manual)\xe2\x80\x94on behalf of a\nFederal agency."\n\nAlthough the 2010 instructions do not specifically address use of social media or new media,\nFAQ 22 states that agencies should include SaaS and "software subscription" solutions in their\nannual security reviews. In conclusion, FISMA and OMB require that the standards be applied.\n\n\n\n\n                                                 68\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n\n                                       Department of Homeland Security\n\n                                        Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendix C\nFISMA, NIST, OMB, FedRAMP, and Privacy Considerations\nFederal Information Security Management Act\n\nFISMA requires each Federal agency to develop, document, and implement an agency-wide\nprogram to provide information security for the information and information systems that\nsupport the operations and assets of the agency, including those provided or managed by\nanother agency, contractor, or other source.\n\nGAO made the following statement in Social Media: Federal Agencies Need Policies and\nProcedures for Managing and Protecting Information They Access and Disseminate:\n\n         The Federal Information Security Management Act of 2002 (FISMA) established a\n         framework designed to ensure the effectiveness of security controls over information\n         resources that support federal operations and assets. According to FISMA, each agency\n         is responsible for, among other things, providing information security protections\n         commensurate with the risk and magnitude of the harm resulting from unauthorized\n         access, use, disclosure, disruption, modification, or destruction of information collected\n         or maintained by or on behalf of the agency and information systems used or operated\n         by an agency or by a contractor of an agency or other organization on behalf of an\n         agency.\n\n         Consistent with its statutory responsibilities under FISMA, in August 2009 the National\n         Institute of Standards and Technology (NIST) issued an update to its guidance on\n         recommended security controls for federal information systems and organizations. The\n         NIST guidance directs agencies to select and specify security controls for information\n         systems based on an assessment of the risk to organizational operations and assets,\n         individuals, other organizations, and the nation associated with operation of those\n         systems. According to the guidance, the use of a risk-based approach is applicable not\n         just to the operation of the agency\xe2\x80\x99s internal systems but is also important when an\n         agency is using technology for which its ability to establish security controls may be\n         limited, such as when using a third-party social media service. 278\n\nTo meet FISMA compliance, social media and new media must have a risk assessment\nperformed through compliance with the NIST risk management framework. The level of\ndiffusion, use, and ease of provisioning of new media and social media makes it important to\ninvolve all business, technical, and legal stakeholders before engaging in social media to identify\nrisks and where possible mitigate unnecessary risks. When determining FISMA applicability, it\n\n278\n   Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate, GAO\xc2\xad\n11-605, GOV\xe2\x80\x99T ACCOUNTABILITY OFFICE (June 28, 2011), available at http://www.gao.gov/assets/330/320244.pdf.\n\n                                                           69\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                               Department of Homeland Security\n\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\nis important to engage counsel early in the process so they may understand the use of the\ntechnology, such as what types of information are being used and how the technology or\nservice is being used on behalf of the OIG\xe2\x80\x99s mission.\n\nThe following sections address areas of information assurance and security as defined by NIST\nin fulfilling its statutory FISMA responsibilities. Should counsel determine that FISMA does not\napply, the principles enumerated in the NIST Risk Management Framework should still be\nconsidered as they are industry best practices, which when implemented properly can greatly\nprotect the OIG\xe2\x80\x99s data and reputation, and the public from fraud, waste, and abuse.\n\nFederal Information Processing Standards Series\n\nThe Federal Information Processing Standards (FIPS) are NIST standards for computer\ninformation systems when there are compelling Federal government requirements, such as for\nsecurity and interoperability. FIPS requirements are mandated by FISMA for the protection of\nFederal information and information systems. FIPS are thoroughly vetted by government and\nindustry experts and often are voluntarily adopted by industry as best practices for enterprise\nsecurity. FIPS represent the cornerstones of Federal information assurance and security. The\nfollowing publications are the foundation of many Federal security programs:\n\n\xe2\x80\xa2\t FIPS 140-2, Security Requirements for Cryptographic Modules;\n\xe2\x80\xa2\t FIPS 199, Standards for Security Categorization of Federal Information and Information\n   Systems; and\n\xe2\x80\xa2\t FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.\n\nIf FISMA applies to the new media or social media application being used, then all applicable\nFIPS must be applied as appropriate. Minimally, however, FIPS 199 and FIPS 200 will apply to\nall services, systems, or apps. In many cases, a reasonable assurance of FIPS implementation\nand compliance for a new media or social media application will not be available as the OIG has\nlittle to no control of the platform. In these cases, the organization\'s authorizing official must\nweigh the possible violation of FIPS (and possibly FISMA) in light of overarching critical mission\nneed and make a utilization or authorization decision.\n\nNIST Special Publication 800 Series\n\nThe NIST Special Publication (SP) 800 Series was established in 1990 to provide an array of\ncomputer security research and guideline documentation relevant to IT practitioners. The\nseries is the result of research and collaborative activities with industry, government, and\nacademic organizations. While much of the series is considered to be general guidelines, SP\n800-53, or Recommended Security Controls for Federal Information Systems and Organizations,\nis legally mandated for Federal agencies under FISMA through FIPS 200. The most recent\nversion, Rev4, includes specific security controls related to planning (PL), access control (AC),\n\n                                                 70\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n\n                                Department of Homeland Security\n\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\nand Audit/Accountability (AU) for social media needs. Other relevant special publications for\nsocial media and new media include\xe2\x80\x94\n\n\xe2\x80\xa2\t SP 800-37, Guide for Applying the Risk Management Framework to Federal Information\n   Systems: A Security Life Cycle Approach;\n\xe2\x80\xa2\t SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII);\n\xe2\x80\xa2\t SP 800-144, DRAFT Guidelines on Security and Privacy in Public Cloud Computing; and\n\xe2\x80\xa2\t SP 800-145, DRAFT A NIST Definition of Cloud Computing.\n\nThese guides can help guide an organization through the NIST risk management framework. As\nthe framework is applied to social media, new media, and cloud-based apps or services, a\nresidual risk posture will be developed and give the organizational risk function a more\ninformed environment to base decisions. The Chief Information Security Officer, Information\nSystems Security Officer, or Senior Agency Information Security Officer is typically well-versed\nin these documents, processes, and procedures. If an OIG employs IT auditors experienced in\nFISMA, FIPS, and the NIST SP 800 series, consider including them in any evaluation of new\nmedia or social media.\n\nOffice of Management and Budget Memoranda and Circulars\n\nOMB issues executive orders, instructions, and guidance for Federal agencies in a variety of\noperational areas including security and privacy. In June 2010, OMB issued memoranda that\nprovide specific guidance for the use of third-party websites and apps as well as the web\nmeasurement and customization technologies:\n\n\xe2\x80\xa2\t OMB M-10-22, Guidance for Online Use of Web Measurement and Customization\n   Technologies; and\n\xe2\x80\xa2\t OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications.\n\nM-10-22 and M-10-23 focus on privacy; the following memoranda and circular address security:\n\n\xe2\x80\xa2\t OMB M-7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\n   Information;\n\xe2\x80\xa2\t OMB M-10-15, Reporting Instructions for the Federal Information Security Management Act\n   and Agency Privacy Management; and\n\xe2\x80\xa2\t OMB A-130, Management of Federal Information Resources.\n\nSpecifically, social media, or SaaS providers, are not inherently \xe2\x80\x9cMajor Information Systems\xe2\x80\x9d as\ndescribed by OMB Circular A-130, but they do qualify as \xe2\x80\x9cinformation systems\xe2\x80\x9d defined by\n44 U.S.C. \xc2\xa7 3502, since they are \xe2\x80\x9ca discrete set of information resources organized for the\ncollection, processing, maintenance, use, sharing, dissemination, or disposition of information."\n\n                                                  71\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n\n                                Department of Homeland Security\n\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\nAdditionally, OMB M-10-15 states that all information systems, including SaaS, should be\nincorporated in an OIG\xe2\x80\x99s annual FISMA report. Further instructions in M-10-15 require agencies\nto perform security assessments for all information systems regardless of impact or use.\nConsider engaging the agency Chief Information Security Officer or Senior Official for Privacy\nwhen reviewing OMB security and privacy requirements.\n\nReporting (OMB/Departmental/Congress)\n\nA vital component of all IT programs is the maintenance of an accurate, timely, and thorough\ninventory of all systems, software, and components. When systems and services are addressed\nunder FISMA, they will be captured by an OIGs\xe2\x80\x99 annual reporting, and stand as a record of the\nsystem and a formal documentation of security controls for OIG information assets. When\nsystems and services are not addressed under FISMA, there may be alternative reporting\nrequirements to an OIG to catalog the use of third-party services.\n\nMeasuring and Managing Risk\n\nSocial media and new media services provide easy and accessible tools to communicate rapidly\nwith a wide audience. This enhanced communication ability comes at the cost of increased risk.\nRisks range from threats to the confidentiality, integrity, and availability of data provided by the\nOIG to loss of reputation through public embarrassment if the OIG\xe2\x80\x99s account is compromised.\nThese risks can be managed, accepted, or mitigated through specific and defined configurations\nand uses of social media and new media tools. For example, by requiring strong passwords and\nregularly changing them, or restricting the configurations of the tools and what types of\ninformation are processed, stored, or transmitted, an OIG can greatly reduce its risk posture. It\nis important to have a thorough understanding of all features and functions of the tools to be\nused and then document the desired use and configurations in conjunction with the\ninformation security or assurance function in an organization. Furthermore, it is important to\nunderstand what information the OIG is going to share or store from the service, as many social\nmedia tools provide access to large amounts of PII, and storing and accessing it can have\nPrivacy Act implications.\n\nContinuous Monitoring\n\nUnlike traditional continuous monitoring approaches for Federal information systems, social\nmedia systems are not in the total control of the OIG. Despite this limitation, continuous\nmonitoring can be conducted in a limited and usually manual fashion. Specifically, OIGs should\nmonitor their social media services as continuously and as near real-time as possible to ensure\nthat their accounts have not been modified or that unofficial information has not been posted\nto their account. This can be accomplished through documenting changes to the website and\nstoring backups of that data on internal OIG systems. Additionally, the technology behind\nsocial media is constantly evolving as new features and functionality are rotated into the\n\n                                                  72\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n\n                                         Department of Homeland Security\n\n                                           Washington, DC 20528 / www.oig.dhs.gov\n\n\nservice offerings. It is important that OIGs maintain their awareness and stay up-to-date of\nchanges regarding the products that they use. Some new media and social media services will\nmake sweeping and drastic changes to the controls that protect information. These changes\ncould come from new features or additional privacy settings that must be taken into account.\nFor this reason, it is important for OIGs to regularly reevaluate the risk of the use of these tools.\nThis should also occur with any major content releases or updates to the social media service.\nPIAs and security assessments should be routinely reviewed when a significant change occurs\nand on a time-based schedule to ensure they are still accurate, thorough, and timely. For more\ninformation about continuous monitoring, review the following publications:\n\n\xe2\x80\xa2\t NIST FAQ on Continuous Monitoring; and\n   NIST SP 800-137, Information Security Continuous Monitoring for Federal Information\n   Systems and Organizations. 279\n\nFederal Risk and Authorization Management Program (FedRAMP)\n\nFedRAMP is a collaboration among NIST, the GSA, the Department of Defense, DHS, the CIO\nCouncil, state and local governments, the private sector, nongovernmental organizations,\nacademia, and working bodies such as the Information Security and Identity Management\nCommittee. FedRAMP\xe2\x80\x99s goal is to develop an innovative policy approach to developing trusted\nrelationships between Federal Executive departments and agencies and cloud service\nproviders.\n\n\n\n\n279\n   Frequently Asked Questions: Continuous Monitoring, NAT\xe2\x80\x99L INST. OF STANDARDS & TECH. (June 1, 2010), available at\nhttp://csrc.nist.gov/groups/SMA/fisma/documents/faq-continuous-monitoring.pdf.\n\n                                                               73\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                               Department of Homeland Security\n\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendix D\n\nNegotiating, Contracting, and Communicating Information Security\nRequirements\nEngaging New Media Providers\n\nWhen engaging in new media and social media services, OIGs are confronted with a significant\nrisk management challenge. In many cases, the service providers are willing to enter into a\nspecific TOS with an OIG, during which time the OIG has an opportunity to negotiate as many\nsecurity and privacy requirements as possible. At times, such negotiations will not be favorable\nto an OIG, and the OIG will be pressured to accept the terms provided by the new media or\nsocial media company. The following sections describe different tactics that an OIG may\nemploy in trying to meet security and privacy requirements.\n\nVoluntarily Meet Federal Information Security Requirements\n\nFor some social media and new media services, security can be considered an afterthought, if\nnot counterproductive, to engaging and growing a user base. However, many established\nproviders are compelled to maintain their customer base by improving service and security in\nparallel. In recent years, the Federal Trade Commission has cited several social media providers\nfor misleading consumers about their level of privacy protection and information security\npractices. Settlement agreements with the providers have required audits by independent\nthird parties. Audit results can be used to help understand the information security risks\ninvolved in using platforms. Some social media services have already begun using ISO 27001/2\nand FISMA-compliant security programs and are willing to share their progress with Federal\nagencies. When researching social media tools, due diligence should be performed to reach out\nto the companies and engage in security and privacy dialogue so that the OIG\xe2\x80\x99s risk\nmanagement function is able to develop a comprehensive understanding of the risk it may be\nexposed to while using the service.\n\nContractual Options for Information Assurance\n\nSocial media services are generally free tools available for personal and enterprise use.\nHowever, some service providers offer variations of a tiered service, such as free and paid\nsubscription models. In addition to enhanced user features in some of the paid subscriptions,\nthere are often enhanced security configurations as well. When reviewing a social media\nservice that offers a tiered service plan, it is advisable to enquire about the security\nconfiguration differences between the tiers to be able to make an informed decision before\nemploying one of these tools. Additionally, a paid service model gives the OIG an opportunity\nto negotiate a contract with the service provider and add security and reporting requirements.\n\n                                                 74\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                               Department of Homeland Security\n\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\nAlways ensure that a contracting officer and counsel are involved in these activities since legal\nand contracting issues do arise.\n\nFedRAMP Standard Contract Language\n\nFedRAMP has developed a security contract clause template to assist Federal agencies in\nprocuring cloud-based services. This template should be reviewed by an OIG counsel to ensure\nthat it meets all requirements, and then incorporated into the security assessment section of a\nsolicitation. The template covers FedRAMP requirements for areas like the security assessment\nprocess and related ongoing assessment and authorization. The template also provides basic\nsecurity requirements identifying cloud service provider responsibilities for privacy and\nsecurity, protection of government data, personnel background screening, and security\ndeliverables with associated frequencies.\n\n\n\n\n                                                 75\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                                Department of Homeland Security\n\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendix E\nProtecting OIG Networks While Accessing New Media Platforms\nGreat consideration must be given when an OIG decides to have an official presence on a social\nmedia or new media platform, and equal consideration must be given as to how users will\naccess social media and new media services and websites. Many organizations and businesses\nblock social media and new media websites for a variety of reasons including security, privacy,\nand network performance. In crafting a new media or social media strategy, the OIG must also\nbe aware of additional security and privacy challenges. Numerous technologies can aid an\norganization that is considering allowing access to new media and social media services and\nwebsites.\n\nWeb Proxy and Web Filters\n\nWeb filters and proxies are designed to filter and block malicious, illegal, inappropriate, or\nunwanted web content. Many agencies employ web filters to block designated pages;\nhowever, they also often block social media and new media websites because of the amount of\nmalware and malicious content potentially distributed by these tools. OIGs employing only\nweb filters often rely on separate Internet connections through aircards, digital subscriber lines,\nor similar technologies. Web proxies are typically much more expensive and require greater\nmanagement, but also allow for much greater flexibility in allowing access to websites by\nsimulating a computer and then opening the content on it first and observing the behavior\nusing a variety of antivirus and antimalware tools. If the content is deemed acceptable\naccording to the defined risk threshold, it is passed on to the end user. If the content is\ndeemed malicious, the end user is informed that the content they are trying to access has been\nquarantined. CIOs and information system security officers can provide more information\nabout web proxies and filters. If an OIG is planning to allow access to new media or social\nmedia websites, it should strongly consider implementing a web proxy. A web proxy will not\nprotect against all malicious attacks but will greatly reduce the risk of accessing social media\nand new media websites.\n\nData Loss Prevention and Protection\n\nData loss prevention (DLP) tools are used to examine the types of information leaving an OIG\'s\nnetwork. As social media and new media typically offer the ability to post large amounts of\ninformation on the service, OIGs must be able to detect sensitive information exfiltration.\nMany DLP tools can be configured to detect PII, credit card numbers, phrases, and specific\ncombinations of information. Many of these tools can also be configured to detect sensitive\ninformation in compressed files, documents, and common office documents. DLP tools are\ntypically a considerable investment and require management support and operational\noverhead to operate successfully.\n\n                                                  76\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n\n                               Department of Homeland Security\n\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\n\nSecure Workstations or Terminals\n\nEven with web proxies, DLP, and other security controls, OIGs must exercise defense when\ndeciding to allow users to access social media or new media services. Most agencies are\nrequired to adhere to the Federal Desktop Core Configuration or the U.S. Government\nConfiguration Baseline when purchasing desktops, laptops, and servers. These configurations\nharden and strengthen the overall security posture of workstations that may access new media\nor social media services. Consider using the concept of \xe2\x80\x9cleast privilege\xe2\x80\x9d for user accounts when\ndetermining the depth and breadth of workstation-hardening activities. An example of \xe2\x80\x9cleast\nprivilege\xe2\x80\x9d could be ensuring that all workstations and end-user devices use \xe2\x80\x9crestricted\xe2\x80\x9d or\n\xe2\x80\x9climited\xe2\x80\x9d accounts by default. These accounts allow the common commands that a standard\nuser needs to work while restricting the use of commands that could damage a system. Only\nusers such as helpdesk and system administrators would be issued accounts that could harm\nthe system if used incorrectly, such as with \xe2\x80\x9cadministrative\xe2\x80\x9d or \xe2\x80\x9croot\xe2\x80\x9d level accounts.\n\nSecurity Operations Centers and Continuous Monitoring\n\nDLP, web proxies, and other technologies are limited by the reaction time of an OIG to a\nmalicious attack or event. When deciding to allow access to social media or new media\nwebsites, the OIG should consider if a security operations center should be employed, or if\nalready employed, if additional tuning of the security operations center\'s functions will be\nrequired. In the event that a center is not employed, the OIG should evaluate its continuous\nmonitoring program for its general support system and ensure that it is providing reporting in\nas near real-time as possible to the organization\xe2\x80\x99s risk management function.\n\n\n\n\n                                                 77\n\n\x0c                       OFFICE OF INSPECTOR GENERAL\n\n                              Department of Homeland Security\n\n                               Washington, DC 20528 / www.oig.dhs.gov\n\n\nAppendix F\nMajor Contributors to This Report\nThe CIGIE New Media Working Group\n\nThe CIGIE New Media Working Group consisted of representatives of the following Offices of\nthe Inspectors General:\n\n\xe2\x80\xa2   Department of Agriculture\n\xe2\x80\xa2   Department of Defense\n\xe2\x80\xa2   Department of Health and Human Services\n\xe2\x80\xa2   Department of Homeland Security\n\xe2\x80\xa2   Department of Housing and Urban Development\n\xe2\x80\xa2   Department of the Interior\n\xe2\x80\xa2   Environmental Protection Agency\n\xe2\x80\xa2   Legal Services Corporation\n\xe2\x80\xa2   National Science Foundation\n\xe2\x80\xa2   Pension Benefit Guaranty Corporation\n\xe2\x80\xa2   Social Security Administration\n\xe2\x80\xa2   Treasury Inspector General for Tax Administration\n\xe2\x80\xa2   United States Postal Service\n\n\n\n\n                                                78\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'